cycbot | 35e7558ea5e568e8c393cee2c7568c143de3f4bb9a834006dc828d3f3462d1fd

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe
Size

166KB
MD5

a41afc015c670ea53e8f611c0bab5165
SHA1

3f9fafd85dfd5c2d4103a76aa0f58f7d2a8d186b
SHA256

35e7558ea5e568e8c393cee2c7568c143de3f4bb9a834006dc828d3f3462d1fd
SHA512

c2f7be51e861c6d643c477a272430897c6c40a1be38448c71410f5249741d7f93928bbd98e2bac973fbf3685584a49ed1baece1b2758c2e8cb892688c65759a2
SSDEEP

3072:vufEwW90LLrjzeNaDaW1S2XyabQNPxPHtHTk8cRB:2sF0eJW1rNbuFA8oB

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 64 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/5548-12-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2104-21-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4452-26-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2676-29-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1084-32-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5968-67-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5132-72-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5856-75-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4136-78-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5676-80-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2292-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5836-85-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2552-88-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4580-91-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5676-93-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1080-95-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/700-98-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2344-101-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/816-104-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3968-107-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1796-110-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/6052-113-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3768-116-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2484-119-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4888-122-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4428-125-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4508-128-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3880-131-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2220-134-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4676-137-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2728-140-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1204-143-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3020-146-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4560-149-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3140-152-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4132-155-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2780-158-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4080-161-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5820-164-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3564-167-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1164-170-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/6072-173-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2876-234-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1176-236-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5676-238-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1688-240-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4840-243-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5160-246-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2020-249-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4588-252-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/4812-255-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1488-258-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5256-261-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3616-264-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5864-267-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2900-270-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3796-273-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2156-276-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/5592-279-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3980-282-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2056-285-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2632-288-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1164-291-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/804-294-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Executes dropped EXE 64 IoCs

pid	Process
2104	conhost.exe
4452	conhost.exe
2676	conhost.exe
1084	conhost.exe
5968	conhost.exe
5132	conhost.exe
5856	conhost.exe
4136	conhost.exe
2292	conhost.exe
5836	conhost.exe
2552	conhost.exe
4580	conhost.exe
1080	conhost.exe
700	conhost.exe
2344	conhost.exe
816	conhost.exe
3968	conhost.exe
1796	conhost.exe
6052	conhost.exe
3768	conhost.exe
2484	conhost.exe
4888	conhost.exe
4428	conhost.exe
4508	conhost.exe
3880	conhost.exe
2220	conhost.exe
4676	conhost.exe
2728	conhost.exe
1204	conhost.exe
3020	conhost.exe
4560	conhost.exe
3140	conhost.exe
4132	conhost.exe
2780	conhost.exe
4080	conhost.exe
5820	conhost.exe
3564	conhost.exe
1164	conhost.exe
6072	conhost.exe
2876	conhost.exe
1688	conhost.exe
4840	conhost.exe
5160	conhost.exe
2020	conhost.exe
4588	conhost.exe
4812	conhost.exe
1488	conhost.exe
5256	conhost.exe
3616	conhost.exe
5864	conhost.exe
2900	conhost.exe
3796	conhost.exe
2156	conhost.exe
5592	conhost.exe
3980	conhost.exe
2056	conhost.exe
2632	conhost.exe
1164	conhost.exe
804	conhost.exe
5944	conhost.exe
1584	conhost.exe
3456	conhost.exe
2304	conhost.exe
2540	conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5676-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5548-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5548-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2104-21-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2104-19-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4452-24-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4452-26-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2676-29-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1084-32-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5968-67-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5132-72-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5856-75-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4136-78-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5676-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2292-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5836-85-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2552-88-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4580-91-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5676-93-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1080-95-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/700-98-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2344-101-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/816-104-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3968-107-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1796-110-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/6052-113-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3768-116-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2484-119-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4888-122-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4428-125-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4508-128-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3880-131-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2220-134-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4676-137-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2728-140-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1204-143-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3020-146-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4560-149-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3140-152-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4132-155-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2780-158-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4080-161-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5820-164-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3564-167-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1164-170-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/6072-173-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2876-234-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1176-236-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5676-238-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1688-240-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4840-243-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5160-246-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2020-249-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4588-252-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/4812-255-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1488-258-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5256-261-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3616-264-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5864-267-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2900-270-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3796-273-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2156-276-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5592-279-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3980-282-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5676 wrote to memory of 5548	5676	JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe	91
PID 5676 wrote to memory of 5548	5676	JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe	91
PID 5676 wrote to memory of 5548	5676	JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe	91
PID 5924 wrote to memory of 2104	5924	cmd.exe	92
PID 5924 wrote to memory of 2104	5924	cmd.exe	92
PID 5924 wrote to memory of 2104	5924	cmd.exe	92
PID 3952 wrote to memory of 4452	3952	cmd.exe	96
PID 3952 wrote to memory of 4452	3952	cmd.exe	96
PID 3952 wrote to memory of 4452	3952	cmd.exe	96
PID 4760 wrote to memory of 2676	4760	cmd.exe	99
PID 4760 wrote to memory of 2676	4760	cmd.exe	99
PID 4760 wrote to memory of 2676	4760	cmd.exe	99
PID 1004 wrote to memory of 1084	1004	cmd.exe	102
PID 1004 wrote to memory of 1084	1004	cmd.exe	102
PID 1004 wrote to memory of 1084	1004	cmd.exe	102
PID 4620 wrote to memory of 5968	4620	cmd.exe	105
PID 4620 wrote to memory of 5968	4620	cmd.exe	105
PID 4620 wrote to memory of 5968	4620	cmd.exe	105
PID 5360 wrote to memory of 5132	5360	cmd.exe	108
PID 5360 wrote to memory of 5132	5360	cmd.exe	108
PID 5360 wrote to memory of 5132	5360	cmd.exe	108
PID 3140 wrote to memory of 5856	3140	cmd.exe	111
PID 3140 wrote to memory of 5856	3140	cmd.exe	111
PID 3140 wrote to memory of 5856	3140	cmd.exe	111
PID 2156 wrote to memory of 4136	2156	cmd.exe	114
PID 2156 wrote to memory of 4136	2156	cmd.exe	114
PID 2156 wrote to memory of 4136	2156	cmd.exe	114
PID 2288 wrote to memory of 2292	2288	cmd.exe	117
PID 2288 wrote to memory of 2292	2288	cmd.exe	117
PID 2288 wrote to memory of 2292	2288	cmd.exe	117
PID 5636 wrote to memory of 5836	5636	cmd.exe	120
PID 5636 wrote to memory of 5836	5636	cmd.exe	120
PID 5636 wrote to memory of 5836	5636	cmd.exe	120
PID 5664 wrote to memory of 2552	5664	cmd.exe	123
PID 5664 wrote to memory of 2552	5664	cmd.exe	123
PID 5664 wrote to memory of 2552	5664	cmd.exe	123
PID 4976 wrote to memory of 4580	4976	cmd.exe	126
PID 4976 wrote to memory of 4580	4976	cmd.exe	126
PID 4976 wrote to memory of 4580	4976	cmd.exe	126
PID 1940 wrote to memory of 1080	1940	cmd.exe	131
PID 1940 wrote to memory of 1080	1940	cmd.exe	131
PID 1940 wrote to memory of 1080	1940	cmd.exe	131
PID 5388 wrote to memory of 700	5388	cmd.exe	134
PID 5388 wrote to memory of 700	5388	cmd.exe	134
PID 5388 wrote to memory of 700	5388	cmd.exe	134
PID 3276 wrote to memory of 2344	3276	cmd.exe	137
PID 3276 wrote to memory of 2344	3276	cmd.exe	137
PID 3276 wrote to memory of 2344	3276	cmd.exe	137
PID 1872 wrote to memory of 816	1872	cmd.exe	140
PID 1872 wrote to memory of 816	1872	cmd.exe	140
PID 1872 wrote to memory of 816	1872	cmd.exe	140
PID 1580 wrote to memory of 3968	1580	cmd.exe	144
PID 1580 wrote to memory of 3968	1580	cmd.exe	144
PID 1580 wrote to memory of 3968	1580	cmd.exe	144
PID 5396 wrote to memory of 1796	5396	cmd.exe	148
PID 5396 wrote to memory of 1796	5396	cmd.exe	148
PID 5396 wrote to memory of 1796	5396	cmd.exe	148
PID 3932 wrote to memory of 6052	3932	cmd.exe	151
PID 3932 wrote to memory of 6052	3932	cmd.exe	151
PID 3932 wrote to memory of 6052	3932	cmd.exe	151
PID 2316 wrote to memory of 3768	2316	cmd.exe	154
PID 2316 wrote to memory of 3768	2316	cmd.exe	154
PID 2316 wrote to memory of 3768	2316	cmd.exe	154
PID 4892 wrote to memory of 2484	4892	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5676
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a41afc015c670ea53e8f611c0bab5165.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5396
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2872
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4272
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5156
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4844
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3964
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5612
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2840
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2204
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1188
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4588
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4512
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5876
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3284
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5060
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5808
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5840
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5880
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3336
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6036
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3048
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1444
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1492
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2460
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3740
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2036
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1500
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4296
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5332
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5692
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4008
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:612
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4420
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4924
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7AEE.CEA

Filesize
996B

MD5
58736ca53fd4a5c97898ead5f1fed66f

SHA1
707046101a0c3192ee1170d38376f58a456eb638

SHA256
9f90ac9b1422758fdb877adc3e02dc2fb86abe165dab4739131295b6f16fc5ee

SHA512
e637f0d6e069890339dc6a88881d2768b7401ae53432fadc135a2917f963243bbedf2637c7cc85385ddbfc6722c2760525b43895f5d017c728e32d42cf67e58c

Download Submit
C:\Users\Admin\AppData\Roaming\7AEE.CEA

Filesize
600B

MD5
1eae359652ab2f03cb8698c638457612

SHA1
401dab530058646db98b71893570f5c2764b1433

SHA256
e071b69a329d5753b20a12f8e072e9ed5e273002e7ad9054b192781d85c0c781

SHA512
4ba7a84a550df6ad492c74d10086d538162681cab1066de1a43d5ba58366c1a9af0495bd1b9c8079d9111d887097fc17ae67d93af80dd0cadef2dc3446138313

Download Submit
C:\Users\Admin\AppData\Roaming\7AEE.CEA

Filesize
1KB

MD5
57beca3cb9a8b759c0ebad68e26485c8

SHA1
cbe42a6b736396fde5b114e78a17944c6f1361cd

SHA256
ddf588d856191cce5f94319f26b0804bb713b057fd1a758da6850c3a4d515d20

SHA512
bfbca199a43cf2bb99117bb4c9c6c1929d549dc796e82424df3f46ee5d2aa0821155dc85bed350753737530ba5c88d729e8a974654cffa113680f2f11d1ca619

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe

Filesize
166KB

MD5
a41afc015c670ea53e8f611c0bab5165

SHA1
3f9fafd85dfd5c2d4103a76aa0f58f7d2a8d186b

SHA256
35e7558ea5e568e8c393cee2c7568c143de3f4bb9a834006dc828d3f3462d1fd

SHA512
c2f7be51e861c6d643c477a272430897c6c40a1be38448c71410f5249741d7f93928bbd98e2bac973fbf3685584a49ed1baece1b2758c2e8cb892688c65759a2

Download Submit
memory/700-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/804-294-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/816-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1080-95-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1084-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1164-170-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1164-291-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1176-236-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1204-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1488-258-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1584-300-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1688-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1796-110-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2020-249-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2056-285-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-21-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2104-19-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2156-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2220-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2292-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2344-101-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2484-119-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2552-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2632-288-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2676-29-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2728-140-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2780-158-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2876-234-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2900-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3020-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3140-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3564-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3616-264-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3768-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3796-273-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3880-131-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3968-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3980-282-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4080-161-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4132-155-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4136-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4428-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4452-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4452-26-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4508-128-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4560-149-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4580-91-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4588-252-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4676-137-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4812-255-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4840-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4888-122-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5132-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5160-246-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5256-261-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5548-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5548-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5592-279-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5676-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5676-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5676-238-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5676-93-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5820-164-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5836-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5856-75-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5864-267-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5944-297-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5968-67-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6052-113-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6072-173-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads