cycbot | 2a1b46df4f0258ed71a52fa3fe8d4842929b9793e8b9d246f8c3995685576f72

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe
Size

187KB
MD5

a63d7b038ea23bd7763929279b15a9c3
SHA1

08ccb92641176fc6dcbb86ff819b292bc1bef301
SHA256

2a1b46df4f0258ed71a52fa3fe8d4842929b9793e8b9d246f8c3995685576f72
SHA512

ae7d0dd9ca7c908743da041e8e2fd0cfe70dc8ddb44c1f07578f093ffd77bf1ae35c6b676122305081b70d882b74bf85f69003bc05614d512963d201d69b29dc
SSDEEP

3072:54os9MlnX1YhrVIUgAnzUdg5mbYU/X8pXB+DhPzwkzJSFeb6cWVB:54j8XChr+URnzIVbYU/QwwzAIb

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 64 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/4676-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2400-19-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2400-18-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3884-22-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4624-25-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4732-28-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3528-31-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4936-34-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3728-37-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4768-40-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4540-43-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2100-46-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4148-49-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4464-52-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3700-55-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5812-58-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2644-61-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5612-64-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1412-67-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1868-70-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2128-73-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/832-76-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1172-79-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1000-82-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2848-83-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/436-86-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5484-89-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1584-92-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2580-95-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2228-98-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4732-101-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4700-104-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/68-107-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/932-110-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2256-113-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2888-116-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5424-119-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5196-122-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5448-125-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1456-128-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2988-131-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1064-134-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3588-137-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5012-140-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1780-143-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1200-208-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2576-210-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2848-211-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5696-214-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2400-217-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3532-220-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4628-223-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5348-226-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4916-229-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5936-232-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/4936-235-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/6072-238-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3136-241-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2164-244-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2748-247-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/5564-250-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/892-253-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1064-256-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3588-259-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Executes dropped EXE 64 IoCs

pid	Process
2400	conhost.exe
3884	conhost.exe
4624	conhost.exe
4732	conhost.exe
3528	conhost.exe
4936	conhost.exe
3728	conhost.exe
4768	conhost.exe
4540	conhost.exe
2100	conhost.exe
4148	conhost.exe
4464	conhost.exe
3700	conhost.exe
5812	conhost.exe
2644	conhost.exe
5612	conhost.exe
1412	conhost.exe
1868	conhost.exe
2128	conhost.exe
832	conhost.exe
1172	conhost.exe
1000	conhost.exe
436	conhost.exe
5484	conhost.exe
1584	conhost.exe
2580	conhost.exe
2228	conhost.exe
4732	conhost.exe
4700	conhost.exe
68	conhost.exe
932	conhost.exe
2256	conhost.exe
2888	conhost.exe
5424	conhost.exe
5196	conhost.exe
5448	conhost.exe
1456	conhost.exe
2988	conhost.exe
1064	conhost.exe
3588	conhost.exe
5012	conhost.exe
1780	conhost.exe
1200	conhost.exe
5696	conhost.exe
2400	conhost.exe
3532	conhost.exe
4628	conhost.exe
5348	conhost.exe
4916	conhost.exe
5936	conhost.exe
4936	conhost.exe
6072	conhost.exe
3136	conhost.exe
2164	conhost.exe
2748	conhost.exe
5564	conhost.exe
892	conhost.exe
1064	conhost.exe
3588	conhost.exe
5820	conhost.exe
860	conhost.exe
4224	conhost.exe
2372	conhost.exe
5800	conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2848-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4676-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2400-19-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2400-18-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3884-22-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4624-25-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4732-28-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3528-31-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4936-34-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3728-37-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4768-40-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4540-43-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2100-46-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4148-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4464-52-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3700-55-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5812-58-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2644-61-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5612-64-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1412-67-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1868-70-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2128-73-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/832-76-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1172-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1000-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2848-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/436-86-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5484-89-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1584-92-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2580-95-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2228-98-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4732-101-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4700-104-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/68-107-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/932-110-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2256-113-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2888-116-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5424-119-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5196-122-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5448-125-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1456-128-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2988-131-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1064-134-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3588-137-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5012-140-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1780-143-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1200-208-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2576-210-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2848-211-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5696-214-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2400-217-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3532-220-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4628-223-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5348-226-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4916-229-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5936-232-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4936-235-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/6072-238-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3136-241-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2164-244-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2748-247-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/5564-250-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/892-253-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1388	1712	Process not Found	1746

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4676	2848	JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe	88
PID 2848 wrote to memory of 4676	2848	JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe	88
PID 2848 wrote to memory of 4676	2848	JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe	88
PID 1584 wrote to memory of 2400	1584	cmd.exe	89
PID 1584 wrote to memory of 2400	1584	cmd.exe	89
PID 1584 wrote to memory of 2400	1584	cmd.exe	89
PID 5916 wrote to memory of 3884	5916	cmd.exe	92
PID 5916 wrote to memory of 3884	5916	cmd.exe	92
PID 5916 wrote to memory of 3884	5916	cmd.exe	92
PID 2228 wrote to memory of 4624	2228	cmd.exe	95
PID 2228 wrote to memory of 4624	2228	cmd.exe	95
PID 2228 wrote to memory of 4624	2228	cmd.exe	95
PID 4672 wrote to memory of 4732	4672	cmd.exe	99
PID 4672 wrote to memory of 4732	4672	cmd.exe	99
PID 4672 wrote to memory of 4732	4672	cmd.exe	99
PID 1300 wrote to memory of 3528	1300	cmd.exe	104
PID 1300 wrote to memory of 3528	1300	cmd.exe	104
PID 1300 wrote to memory of 3528	1300	cmd.exe	104
PID 932 wrote to memory of 4936	932	cmd.exe	107
PID 932 wrote to memory of 4936	932	cmd.exe	107
PID 932 wrote to memory of 4936	932	cmd.exe	107
PID 5032 wrote to memory of 3728	5032	cmd.exe	110
PID 5032 wrote to memory of 3728	5032	cmd.exe	110
PID 5032 wrote to memory of 3728	5032	cmd.exe	110
PID 6112 wrote to memory of 4768	6112	cmd.exe	113
PID 6112 wrote to memory of 4768	6112	cmd.exe	113
PID 6112 wrote to memory of 4768	6112	cmd.exe	113
PID 1768 wrote to memory of 4540	1768	cmd.exe	118
PID 1768 wrote to memory of 4540	1768	cmd.exe	118
PID 1768 wrote to memory of 4540	1768	cmd.exe	118
PID 1956 wrote to memory of 2100	1956	cmd.exe	121
PID 1956 wrote to memory of 2100	1956	cmd.exe	121
PID 1956 wrote to memory of 2100	1956	cmd.exe	121
PID 5208 wrote to memory of 4148	5208	cmd.exe	124
PID 5208 wrote to memory of 4148	5208	cmd.exe	124
PID 5208 wrote to memory of 4148	5208	cmd.exe	124
PID 1456 wrote to memory of 4464	1456	cmd.exe	127
PID 1456 wrote to memory of 4464	1456	cmd.exe	127
PID 1456 wrote to memory of 4464	1456	cmd.exe	127
PID 3572 wrote to memory of 3700	3572	cmd.exe	130
PID 3572 wrote to memory of 3700	3572	cmd.exe	130
PID 3572 wrote to memory of 3700	3572	cmd.exe	130
PID 1064 wrote to memory of 5812	1064	cmd.exe	135
PID 1064 wrote to memory of 5812	1064	cmd.exe	135
PID 1064 wrote to memory of 5812	1064	cmd.exe	135
PID 5096 wrote to memory of 2644	5096	cmd.exe	138
PID 5096 wrote to memory of 2644	5096	cmd.exe	138
PID 5096 wrote to memory of 2644	5096	cmd.exe	138
PID 824 wrote to memory of 5612	824	cmd.exe	141
PID 824 wrote to memory of 5612	824	cmd.exe	141
PID 824 wrote to memory of 5612	824	cmd.exe	141
PID 5644 wrote to memory of 1412	5644	cmd.exe	144
PID 5644 wrote to memory of 1412	5644	cmd.exe	144
PID 5644 wrote to memory of 1412	5644	cmd.exe	144
PID 452 wrote to memory of 1868	452	cmd.exe	147
PID 452 wrote to memory of 1868	452	cmd.exe	147
PID 452 wrote to memory of 1868	452	cmd.exe	147
PID 1668 wrote to memory of 2128	1668	cmd.exe	150
PID 1668 wrote to memory of 2128	1668	cmd.exe	150
PID 1668 wrote to memory of 2128	1668	cmd.exe	150
PID 1604 wrote to memory of 832	1604	cmd.exe	153
PID 1604 wrote to memory of 832	1604	cmd.exe	153
PID 1604 wrote to memory of 832	1604	cmd.exe	153
PID 388 wrote to memory of 1172	388	cmd.exe	156

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a63d7b038ea23bd7763929279b15a9c3.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4636
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:68

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1272
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5300
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5340
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1384
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3832
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4976
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5024
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5196
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1104
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4996
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2836
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4204
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3204
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2044
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4352
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6008
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3160
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4204
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2384
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5068
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1268
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5012
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3240
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3780
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:68

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:672
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5816
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1812
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4504
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4176
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3476
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:452
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2652
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4404
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3376
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4772
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5916
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4752
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2860
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3216
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:68
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3748
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2036
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4608
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1276
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:68
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3988
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3848
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5428
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1968
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3884
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4648
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5360
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4912
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4200
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5680
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4384
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4956
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4828
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:728
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1000
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3076
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5688
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5184
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:896
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1200
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:596
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5192
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3252
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5416
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3316
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:824
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3684
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4104
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3532
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4784
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:368
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4944
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:180
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5788
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5992
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4208
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1068
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4724
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5628
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5904
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4920
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2856
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:60
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5436
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4840
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4080
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4200
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1280
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1256
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3712
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:6008
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:68

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1564
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2120
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2344
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Adds Run key to start application
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\50D4.5A0

Filesize
600B

MD5
35011f09f526213ea7edb920e0e6ffbd

SHA1
78d0cf9e089ca25c7d6a233d2b07511c14f40928

SHA256
731396a8185bf7007ffad0fb18f7cd112d1fcb73a9ed2a10d5668bee8808a274

SHA512
c59a59931d726bd0e3005618df6205335ded9395314eb3bf25c73ccbe2c0cbb933d2e6867f88b6439ea938284f02689df1d52c7cd8637537da6b0c0c0b208736

Download Submit
C:\Users\Admin\AppData\Roaming\50D4.5A0

Filesize
996B

MD5
7283b1b11cd684b4d67d65cf7951472b

SHA1
701830badb375df280fd034de0cef3126d1d9e43

SHA256
471df5d16e6f6fbb4ab3812e1a67742ca6691fbf959f802ae2d4ec7d1499904a

SHA512
83fe6f8bbcba18870b179b25379ccb83452180e20a988a164826081f49105f21cf08ea1ad2ffd5cfc6e675ebac93330161594987cb9da51fa2caf43228103f46

Download Submit
C:\Users\Admin\AppData\Roaming\50D4.5A0

Filesize
1KB

MD5
536077ec4fbb0d452a7c8065e5bfa3a9

SHA1
41267c69c1953dedafa9f4d18cccd183cc4ca408

SHA256
8332a695af05e20a2e59bd5509394ee46017555fbdc1b4e729c5eb0e36173c41

SHA512
9afaf9389c3855c57ec32be5669ec54c168020d0052c87caccb0eb460bc875d09bc2c215a6a4eeb28f6fbc8b8cdb78edb1a05a31acee388b2b8fca932621f680

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe

Filesize
187KB

MD5
a63d7b038ea23bd7763929279b15a9c3

SHA1
08ccb92641176fc6dcbb86ff819b292bc1bef301

SHA256
2a1b46df4f0258ed71a52fa3fe8d4842929b9793e8b9d246f8c3995685576f72

SHA512
ae7d0dd9ca7c908743da041e8e2fd0cfe70dc8ddb44c1f07578f093ffd77bf1ae35c6b676122305081b70d882b74bf85f69003bc05614d512963d201d69b29dc

Download Submit
memory/68-107-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/436-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/832-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/860-265-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/892-253-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/932-110-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1000-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1064-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1064-256-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1172-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1200-208-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1412-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1456-128-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1584-92-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1780-143-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1868-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2100-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2128-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2164-244-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2228-98-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2256-113-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2400-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2400-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2400-217-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2576-210-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2580-95-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2644-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2748-247-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-211-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2848-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2888-116-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2988-131-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3136-241-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3528-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3532-220-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3588-137-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3588-259-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3700-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3728-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3884-22-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4148-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4464-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4540-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4624-25-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4628-223-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4676-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4700-104-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4732-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4732-101-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4768-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4916-229-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4936-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4936-235-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5012-140-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5196-122-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5348-226-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5424-119-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5448-125-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5484-89-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5564-250-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5612-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5696-214-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5812-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5820-262-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5936-232-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/6072-238-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads