cycbot | 8a65971453c344d8d4c2785291b49c7ae5a82941fd3988bf2b4e4101b4251112

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_956474ecd72210c214575358865f2450.exe
Size

175KB
MD5

956474ecd72210c214575358865f2450
SHA1

786b0d547a6f35030ffc8fe9e27ff822edc2956a
SHA256

8a65971453c344d8d4c2785291b49c7ae5a82941fd3988bf2b4e4101b4251112
SHA512

f936a3ff264cb6004c583c7041b3c0c17306ba54e5724ce0baace6072e1d9a43ef9fe807bc8006e16ccf188cfabea1fcb2f98a927a6cac697a9b451ee6e9e1cf
SSDEEP

3072:k1bTAf8jFjstbHDHJt5+JcT3wgBKSiMIx332iXORmCpIY89K76JWyZH:GbTjxODprUcsBMgGIY8o7byN

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 64 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2156-20-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4008-17-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4772-23-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4556-26-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4828-29-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5604-32-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5008-35-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3864-38-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1768-41-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3640-44-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2200-47-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5056-50-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5068-53-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3928-56-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2032-60-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5084-59-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4028-63-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5424-66-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1628-69-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1364-72-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2652-75-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5868-78-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2120-81-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1612-84-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2624-87-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1428-90-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2368-93-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4856-96-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4560-99-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1552-102-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3384-105-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/960-108-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2236-111-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5616-114-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5644-117-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2496-120-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2332-187-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2032-188-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2112-191-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1464-193-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/972-196-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3420-199-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/540-202-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3496-205-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/6080-208-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5404-211-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2676-214-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2368-217-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5640-220-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4864-223-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4548-226-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4784-229-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5020-232-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4488-235-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1860-238-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5704-241-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/1768-244-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5732-247-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4776-250-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/812-253-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/3392-256-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/5068-259-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/2384-262-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral2/memory/4840-265-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Executes dropped EXE 64 IoCs

pid	Process
2156	conhost.exe
4772	conhost.exe
4556	conhost.exe
4828	conhost.exe
5604	conhost.exe
5008	conhost.exe
3864	conhost.exe
1768	conhost.exe
3640	conhost.exe
2200	conhost.exe
5056	conhost.exe
5068	conhost.exe
3928	conhost.exe
5084	conhost.exe
4028	conhost.exe
5424	conhost.exe
1628	conhost.exe
1364	conhost.exe
2652	conhost.exe
5868	conhost.exe
2120	conhost.exe
1612	conhost.exe
2624	conhost.exe
1428	conhost.exe
2368	conhost.exe
4856	conhost.exe
4560	conhost.exe
1552	conhost.exe
3384	conhost.exe
960	conhost.exe
2236	conhost.exe
5616	conhost.exe
5644	conhost.exe
2496	conhost.exe
2332	conhost.exe
1464	conhost.exe
972	conhost.exe
3420	conhost.exe
540	conhost.exe
3496	conhost.exe
6080	conhost.exe
5404	conhost.exe
2676	conhost.exe
2368	conhost.exe
5640	conhost.exe
4864	conhost.exe
4548	conhost.exe
4784	conhost.exe
5020	conhost.exe
4488	conhost.exe
1860	conhost.exe
5704	conhost.exe
1768	conhost.exe
5732	conhost.exe
4776	conhost.exe
812	conhost.exe
3392	conhost.exe
5068	conhost.exe
2384	conhost.exe
4840	conhost.exe
3972	conhost.exe
3100	conhost.exe
540	conhost.exe
1692	conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2032-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2156-20-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4008-17-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4008-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4772-23-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4556-26-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4828-29-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5604-32-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5008-35-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3864-38-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1768-41-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3640-44-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2200-47-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5056-50-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5068-53-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3928-56-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2032-60-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5084-59-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4028-63-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5424-66-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1628-69-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1364-72-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2652-75-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5868-78-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2120-81-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1612-84-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2624-87-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1428-90-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2368-93-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4856-96-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4560-99-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1552-102-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3384-105-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/960-108-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2236-111-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5616-114-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5644-117-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2496-120-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2332-187-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2032-188-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2112-191-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1464-193-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/972-196-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3420-199-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/540-202-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3496-205-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/6080-208-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5404-211-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2676-214-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2368-217-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5640-220-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4864-223-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4548-226-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4784-229-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5020-232-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4488-235-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1860-238-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5704-241-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1768-244-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5732-247-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4776-250-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/812-253-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3392-256-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/5068-259-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_956474ecd72210c214575358865f2450.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4008	2032	JaffaCakes118_956474ecd72210c214575358865f2450.exe	90
PID 2032 wrote to memory of 4008	2032	JaffaCakes118_956474ecd72210c214575358865f2450.exe	90
PID 2032 wrote to memory of 4008	2032	JaffaCakes118_956474ecd72210c214575358865f2450.exe	90
PID 3716 wrote to memory of 2156	3716	cmd.exe	167
PID 3716 wrote to memory of 2156	3716	cmd.exe	167
PID 3716 wrote to memory of 2156	3716	cmd.exe	167
PID 5640 wrote to memory of 4772	5640	cmd.exe	94
PID 5640 wrote to memory of 4772	5640	cmd.exe	94
PID 5640 wrote to memory of 4772	5640	cmd.exe	94
PID 4472 wrote to memory of 4556	4472	cmd.exe	98
PID 4472 wrote to memory of 4556	4472	cmd.exe	98
PID 4472 wrote to memory of 4556	4472	cmd.exe	98
PID 4988 wrote to memory of 4828	4988	cmd.exe	179
PID 4988 wrote to memory of 4828	4988	cmd.exe	179
PID 4988 wrote to memory of 4828	4988	cmd.exe	179
PID 1796 wrote to memory of 5604	1796	cmd.exe	104
PID 1796 wrote to memory of 5604	1796	cmd.exe	104
PID 1796 wrote to memory of 5604	1796	cmd.exe	104
PID 1216 wrote to memory of 5008	1216	cmd.exe	107
PID 1216 wrote to memory of 5008	1216	cmd.exe	107
PID 1216 wrote to memory of 5008	1216	cmd.exe	107
PID 752 wrote to memory of 3864	752	cmd.exe	110
PID 752 wrote to memory of 3864	752	cmd.exe	110
PID 752 wrote to memory of 3864	752	cmd.exe	110
PID 5048 wrote to memory of 1768	5048	cmd.exe	113
PID 5048 wrote to memory of 1768	5048	cmd.exe	113
PID 5048 wrote to memory of 1768	5048	cmd.exe	113
PID 5960 wrote to memory of 3640	5960	cmd.exe	118
PID 5960 wrote to memory of 3640	5960	cmd.exe	118
PID 5960 wrote to memory of 3640	5960	cmd.exe	118
PID 4000 wrote to memory of 2200	4000	cmd.exe	121
PID 4000 wrote to memory of 2200	4000	cmd.exe	121
PID 4000 wrote to memory of 2200	4000	cmd.exe	121
PID 2592 wrote to memory of 5056	2592	cmd.exe	124
PID 2592 wrote to memory of 5056	2592	cmd.exe	124
PID 2592 wrote to memory of 5056	2592	cmd.exe	124
PID 3300 wrote to memory of 5068	3300	cmd.exe	127
PID 3300 wrote to memory of 5068	3300	cmd.exe	127
PID 3300 wrote to memory of 5068	3300	cmd.exe	127
PID 5044 wrote to memory of 3928	5044	cmd.exe	132
PID 5044 wrote to memory of 3928	5044	cmd.exe	132
PID 5044 wrote to memory of 3928	5044	cmd.exe	132
PID 4776 wrote to memory of 5084	4776	cmd.exe	135
PID 4776 wrote to memory of 5084	4776	cmd.exe	135
PID 4776 wrote to memory of 5084	4776	cmd.exe	135
PID 5576 wrote to memory of 4028	5576	cmd.exe	138
PID 5576 wrote to memory of 4028	5576	cmd.exe	138
PID 5576 wrote to memory of 4028	5576	cmd.exe	138
PID 2292 wrote to memory of 5424	2292	cmd.exe	141
PID 2292 wrote to memory of 5424	2292	cmd.exe	141
PID 2292 wrote to memory of 5424	2292	cmd.exe	141
PID 3788 wrote to memory of 1628	3788	cmd.exe	144
PID 3788 wrote to memory of 1628	3788	cmd.exe	144
PID 3788 wrote to memory of 1628	3788	cmd.exe	144
PID 1988 wrote to memory of 1364	1988	cmd.exe	209
PID 1988 wrote to memory of 1364	1988	cmd.exe	209
PID 1988 wrote to memory of 1364	1988	cmd.exe	209
PID 1652 wrote to memory of 2652	1652	cmd.exe	150
PID 1652 wrote to memory of 2652	1652	cmd.exe	150
PID 1652 wrote to memory of 2652	1652	cmd.exe	150
PID 1564 wrote to memory of 5868	1564	cmd.exe	215
PID 1564 wrote to memory of 5868	1564	cmd.exe	215
PID 1564 wrote to memory of 5868	1564	cmd.exe	215
PID 4228 wrote to memory of 2120	4228	cmd.exe	156

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:4008
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_956474ecd72210c214575358865f2450.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5868
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2336
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5008
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3656
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5524
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2872
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2848
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1396
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1488
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4568
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4152
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6140
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3164
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3560
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3164
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2852
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4320
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3356
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3152
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5444
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3840
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3336
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2332
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3840
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5008
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4152
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5356
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5480
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5574.877

Filesize
600B

MD5
a2bc15e4974e0a79cb5a76c7731600c3

SHA1
9a290888b4ea295839bcad2695e70b3d40f165be

SHA256
e92065bd23af1f03e4a1bbde2a9e39532073decbd6c6b6652f883d0817cb05a8

SHA512
8cf54ef794b61fa9b6de4adc6f7a5287b91fcca73834c4c27b8c835b7d263ca76ac865800a78c505f2cad4395ea91f7240b2358df01a5e0d6d83ac4927418635

Download Submit
C:\Users\Admin\AppData\Roaming\5574.877

Filesize
996B

MD5
fc9ffb65b2f4ecbf3170ed3f2c4a58ec

SHA1
c9917324ef7041a70d35f2c45b664797ed396244

SHA256
3b8417308647d9103330f0df5ebcb487ab439fc34a2f39fbc8e1ee3c50e67efc

SHA512
304e3634030c91cea164b59754ecd6d75ddabd8cb37173ddbdb9172fdb863085d7bf14fdba204647b09a3f3e3e4dd96ef6697f40260da48ac9e772d1b8d4f282

Download Submit
C:\Users\Admin\AppData\Roaming\5574.877

Filesize
1KB

MD5
4a01f92fc1b2f93a290c4ed81a8124a7

SHA1
b3a629a7ba88a88213edc5be8fc7e672af2d0ecb

SHA256
b5062aae78765f65b58a8b66c9d2cd411db68291342413003507b99cc1ff786a

SHA512
4d5a7db4f080598f5868227b98fedbdbff2712d3043c4d800cf6ca36edcef6a4ff1ee611fdabeb70637cc1c87a544fff773b55c4cf267de8c95b82fcf0ae667c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe

Filesize
175KB

MD5
956474ecd72210c214575358865f2450

SHA1
786b0d547a6f35030ffc8fe9e27ff822edc2956a

SHA256
8a65971453c344d8d4c2785291b49c7ae5a82941fd3988bf2b4e4101b4251112

SHA512
f936a3ff264cb6004c583c7041b3c0c17306ba54e5724ce0baace6072e1d9a43ef9fe807bc8006e16ccf188cfabea1fcb2f98a927a6cac697a9b451ee6e9e1cf

Download Submit
memory/540-202-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/812-253-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/960-108-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/972-196-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1364-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1428-90-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1464-193-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1552-102-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1612-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1628-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1768-244-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1768-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1860-238-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-188-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2032-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2112-191-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2120-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2156-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2200-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2236-111-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2332-187-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2368-217-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2368-93-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-262-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2496-120-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2624-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2652-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2676-214-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3384-105-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3392-256-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3420-199-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3496-205-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3640-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3864-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3928-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3972-268-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4008-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4008-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4028-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4488-235-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4548-226-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4556-26-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4560-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4772-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4776-250-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4784-229-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4828-29-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4840-265-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4856-96-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4864-223-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5008-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5020-232-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5056-50-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5068-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5068-259-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5084-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5404-211-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5424-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5604-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5616-114-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5640-220-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5644-117-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5704-241-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5732-247-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5868-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/6080-208-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads