cycbot | d9da6f83ee3711995710e19f7cf9ef029ed227f9863f61b5078ac25e7339eeed

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe
Size

164KB
MD5

9842aa1a39f83c18b9056a6fe765b78a
SHA1

209a87a36be5b96f72b2288fcd8f09710cfcba49
SHA256

d9da6f83ee3711995710e19f7cf9ef029ed227f9863f61b5078ac25e7339eeed
SHA512

998b80a2ea6d49e18b9143692fddb940cce2af2478e6d386073c1a3676b967807f6f97bd49d8a2dcf531dc4fcde37b354c3c5aff63588208d163746bd37f7147
SSDEEP

3072:tnd9nn6kAe7p6Yg58ZzMU48NSkvbJ8X46J4sm+pkKhB8t2PXQcQWrwmewJi:Nb6kAs6FCzA8NSto6wcHz87yQ

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 64 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral2/memory/2132-15-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5772-21-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5540-26-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4576-29-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4708-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3140-35-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4848-38-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5972-41-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5224-43-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1512-45-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3632-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4648-51-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5152-54-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5748-57-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5396-60-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1432-63-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/740-66-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1596-69-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5476-72-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5900-75-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5668-78-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3948-81-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4424-84-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/316-87-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5344-90-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5540-93-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4544-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4752-99-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1920-102-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4784-105-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2580-108-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5056-111-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4368-115-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/704-118-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5964-177-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3996-179-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5064-182-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2068-185-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3844-188-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/6024-191-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2280-194-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3948-197-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5380-200-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3128-203-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4968-206-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5540-209-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4544-212-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4612-215-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3140-218-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/788-221-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4792-224-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3724-227-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/6112-230-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5848-233-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3656-236-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/3308-239-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/400-242-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5116-245-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/4556-248-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/1948-251-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/2728-254-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5908-257-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/5360-260-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot
behavioral2/memory/6124-263-0x0000000000400000-0x0000000000444000-memory.dmp	family_cycbot

Executes dropped EXE 64 IoCs

pid	Process
5772	conhost.exe
5540	conhost.exe
4576	conhost.exe
4708	conhost.exe
3140	conhost.exe
4848	conhost.exe
5972	conhost.exe
1512	conhost.exe
3632	conhost.exe
4648	conhost.exe
5152	conhost.exe
5748	conhost.exe
5396	conhost.exe
1432	conhost.exe
740	conhost.exe
1596	conhost.exe
5476	conhost.exe
5900	conhost.exe
5668	conhost.exe
3948	conhost.exe
4424	conhost.exe
316	conhost.exe
5344	conhost.exe
5540	conhost.exe
4544	conhost.exe
4752	conhost.exe
1920	conhost.exe
4784	conhost.exe
2580	conhost.exe
5056	conhost.exe
4368	conhost.exe
704	conhost.exe
3996	conhost.exe
5064	conhost.exe
2068	conhost.exe
3844	conhost.exe
6024	conhost.exe
2280	conhost.exe
3948	conhost.exe
5380	conhost.exe
3128	conhost.exe
4968	conhost.exe
5540	conhost.exe
4544	conhost.exe
4612	conhost.exe
3140	conhost.exe
788	conhost.exe
4792	conhost.exe
3724	conhost.exe
6112	conhost.exe
5848	conhost.exe
3656	conhost.exe
3308	conhost.exe
400	conhost.exe
5116	conhost.exe
4556	conhost.exe
1948	conhost.exe
2728	conhost.exe
5908	conhost.exe
5360	conhost.exe
6124	conhost.exe
4040	conhost.exe
6016	conhost.exe
1168	conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5224-2-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2132-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5772-19-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5772-18-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5772-21-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5540-24-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5540-26-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4576-29-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4708-32-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3140-35-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4848-38-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5972-41-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5224-43-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1512-45-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3632-48-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4648-51-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5152-54-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5748-57-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5396-60-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1432-63-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/740-66-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1596-69-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5476-72-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5900-75-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5668-78-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3948-81-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4424-84-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/316-87-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5344-90-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5540-93-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4544-96-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4752-99-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1920-102-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4784-105-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2580-108-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5056-111-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4368-115-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/704-118-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5964-177-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3996-179-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5064-182-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2068-185-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3844-188-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/6024-191-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2280-194-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3948-197-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5380-200-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3128-203-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4968-206-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5540-209-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4544-212-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4612-215-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3140-218-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/788-221-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4792-224-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3724-227-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/6112-230-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5848-233-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3656-236-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3308-239-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/400-242-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/5116-245-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/4556-248-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1948-251-0x0000000000400000-0x0000000000444000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5224 wrote to memory of 2132	5224	JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe	88
PID 5224 wrote to memory of 2132	5224	JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe	88
PID 5224 wrote to memory of 2132	5224	JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe	88
PID 5112 wrote to memory of 5772	5112	cmd.exe	89
PID 5112 wrote to memory of 5772	5112	cmd.exe	89
PID 5112 wrote to memory of 5772	5112	cmd.exe	89
PID 5532 wrote to memory of 5540	5532	cmd.exe	93
PID 5532 wrote to memory of 5540	5532	cmd.exe	93
PID 5532 wrote to memory of 5540	5532	cmd.exe	93
PID 5096 wrote to memory of 4576	5096	cmd.exe	96
PID 5096 wrote to memory of 4576	5096	cmd.exe	96
PID 5096 wrote to memory of 4576	5096	cmd.exe	96
PID 4536 wrote to memory of 4708	4536	cmd.exe	99
PID 4536 wrote to memory of 4708	4536	cmd.exe	99
PID 4536 wrote to memory of 4708	4536	cmd.exe	99
PID 3260 wrote to memory of 3140	3260	cmd.exe	103
PID 3260 wrote to memory of 3140	3260	cmd.exe	103
PID 3260 wrote to memory of 3140	3260	cmd.exe	103
PID 4260 wrote to memory of 4848	4260	cmd.exe	107
PID 4260 wrote to memory of 4848	4260	cmd.exe	107
PID 4260 wrote to memory of 4848	4260	cmd.exe	107
PID 2908 wrote to memory of 5972	2908	cmd.exe	110
PID 2908 wrote to memory of 5972	2908	cmd.exe	110
PID 2908 wrote to memory of 5972	2908	cmd.exe	110
PID 3608 wrote to memory of 1512	3608	cmd.exe	113
PID 3608 wrote to memory of 1512	3608	cmd.exe	113
PID 3608 wrote to memory of 1512	3608	cmd.exe	113
PID 1080 wrote to memory of 3632	1080	cmd.exe	117
PID 1080 wrote to memory of 3632	1080	cmd.exe	117
PID 1080 wrote to memory of 3632	1080	cmd.exe	117
PID 2144 wrote to memory of 4648	2144	cmd.exe	122
PID 2144 wrote to memory of 4648	2144	cmd.exe	122
PID 2144 wrote to memory of 4648	2144	cmd.exe	122
PID 3784 wrote to memory of 5152	3784	cmd.exe	125
PID 3784 wrote to memory of 5152	3784	cmd.exe	125
PID 3784 wrote to memory of 5152	3784	cmd.exe	125
PID 3364 wrote to memory of 5748	3364	cmd.exe	128
PID 3364 wrote to memory of 5748	3364	cmd.exe	128
PID 3364 wrote to memory of 5748	3364	cmd.exe	128
PID 6032 wrote to memory of 5396	6032	cmd.exe	132
PID 6032 wrote to memory of 5396	6032	cmd.exe	132
PID 6032 wrote to memory of 5396	6032	cmd.exe	132
PID 2164 wrote to memory of 1432	2164	cmd.exe	136
PID 2164 wrote to memory of 1432	2164	cmd.exe	136
PID 2164 wrote to memory of 1432	2164	cmd.exe	136
PID 2012 wrote to memory of 740	2012	cmd.exe	139
PID 2012 wrote to memory of 740	2012	cmd.exe	139
PID 2012 wrote to memory of 740	2012	cmd.exe	139
PID 1628 wrote to memory of 1596	1628	cmd.exe	142
PID 1628 wrote to memory of 1596	1628	cmd.exe	142
PID 1628 wrote to memory of 1596	1628	cmd.exe	142
PID 4280 wrote to memory of 5476	4280	cmd.exe	145
PID 4280 wrote to memory of 5476	4280	cmd.exe	145
PID 4280 wrote to memory of 5476	4280	cmd.exe	145
PID 2688 wrote to memory of 5900	2688	cmd.exe	148
PID 2688 wrote to memory of 5900	2688	cmd.exe	148
PID 2688 wrote to memory of 5900	2688	cmd.exe	148
PID 5596 wrote to memory of 5668	5596	cmd.exe	151
PID 5596 wrote to memory of 5668	5596	cmd.exe	151
PID 5596 wrote to memory of 5668	5596	cmd.exe	151
PID 4516 wrote to memory of 3948	4516	cmd.exe	154
PID 4516 wrote to memory of 3948	4516	cmd.exe	154
PID 4516 wrote to memory of 3948	4516	cmd.exe	154
PID 5348 wrote to memory of 4424	5348	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5224
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9842aa1a39f83c18b9056a6fe765b78a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3568
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3520
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1140
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3620
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3580
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3288
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4336
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1536
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2580
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5248
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3740
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2708
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2420
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5468
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:872
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3612
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3396
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5356
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2336
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:740
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3268
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5152
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3320
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1740
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5320
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5140
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1172
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4272
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5BAF.30C

Filesize
600B

MD5
6b7e120d539d005b253b94866ffae050

SHA1
26b959c1309990abe89c31dbeae8b1d623bef7c2

SHA256
06a5f2464851d46b8c5e35c9cc90558db32c963f0e4bb4f72a366e34b180d0ab

SHA512
b821b9a09a9ee5e42e3376d2d18fed37082aa57dd3abffd202430323973307e04cd48aba7e5ee048f6bb06d3914a3f5a97f60cd19e3952ee0220ac85aeca3255

Download Submit
C:\Users\Admin\AppData\Roaming\5BAF.30C

Filesize
996B

MD5
73a57c8710568a76a35b824bd0bd1011

SHA1
331c600dbdcbb2438d4b709417e4935941b16a19

SHA256
cf4c6c17bee30baf5c41da6b88a20a5dec62e55b73e7398dca73ce3b83b1052d

SHA512
a65d50556b80987b503156a654949a9d2f6925314672606804539ccd9c8e7e4fe53465589225e8cb565764a6fc019b0a8b28d403b58773e2d13c4277de076bd9

Download Submit
C:\Users\Admin\AppData\Roaming\5BAF.30C

Filesize
1KB

MD5
152651ed940f59754e5f208cfa24a6cc

SHA1
33fab6712cd632b8919251397b5cce054a009b80

SHA256
4270a81e543b10637a72d870c9b325c7f3999b4383bb46b5e39e8c703cc22b62

SHA512
e4e5bc3dd2678802a58502411b0c96945b3630a7b46d635df6ade70808ff3de5181d2ffe7431d40168c397f3a99dc740335d1ff2d302612c2e67d2d40a7daa7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe

Filesize
164KB

MD5
9842aa1a39f83c18b9056a6fe765b78a

SHA1
209a87a36be5b96f72b2288fcd8f09710cfcba49

SHA256
d9da6f83ee3711995710e19f7cf9ef029ed227f9863f61b5078ac25e7339eeed

SHA512
998b80a2ea6d49e18b9143692fddb940cce2af2478e6d386073c1a3676b967807f6f97bd49d8a2dcf531dc4fcde37b354c3c5aff63588208d163746bd37f7147

Download Submit
memory/316-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/704-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/740-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1432-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3308-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3632-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3656-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3724-227-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3844-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3996-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4368-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-51-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4752-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5056-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-182-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5152-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5224-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5224-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5224-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5344-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5360-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5380-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5396-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5476-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5540-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5540-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5540-26-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5540-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5668-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5748-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5772-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5772-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5772-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5848-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5900-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5908-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5964-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5972-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6024-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6112-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6124-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads