xtremerat | e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Size

44KB
MD5

53facfdf8219a139fa7c928c05737ccd
SHA1

265276d5c1cf841690fd0cf40de55507399fa20d
SHA256

e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b
SHA512

042f28b0d80ee0e45b2168f57cbbb55066eaa4d3de3dbbf4bc68baf2e2b3d592299f59720a1edf1313c74a91439798126662da9133e7754b825488cbcad109fc
SSDEEP

768:rBr+tjFqTPkAlfztB1lr6an3smTA8uvm2DfOTwYPIFzocja:FyRUHlrL1lr6an3TLuvm2buQVo0a

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

vip.no-ip.org

Signatures

Detect XtremeRAT payload 29 IoCs

resource	yara_rule
behavioral1/memory/2664-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/files/0x0008000000015d87-9.dat	family_xtremerat
behavioral1/memory/2420-12-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1892-16-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2908-26-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3000-36-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/888-46-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1460-48-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2288-71-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3036-83-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2424-88-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2220-90-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2108-100-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/884-109-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/880-118-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2684-122-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1720-145-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1068-154-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1464-160-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2804-163-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2920-172-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1932-181-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2180-193-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/3036-196-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1072-199-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/868-210-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2392-219-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2116-228-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1616-231-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr

Deletes itself 1 IoCs

pid	Process
2420	explorer.exe

Executes dropped EXE 45 IoCs

pid	Process
3000	Conact.scr
1460	Conact.scr
3036	Conact.scr
2220	Conact.scr
2424	Conact.scr
884	Conact.scr
2684	Conact.scr
1068	Conact.scr
2804	Conact.scr
1464	Conact.scr
1932	Conact.scr
1072	Conact.scr
3036	Conact.scr
2392	Conact.scr
1616	Conact.scr
2772	Conact.scr
1172	Conact.scr
2232	Conact.scr
2348	Conact.scr
1464	Conact.scr
1888	Conact.scr
1076	Conact.scr
2772	Conact.scr
1888	Conact.scr
864	Conact.scr
2636	Conact.scr
2092	Conact.scr
3108	Conact.scr
3288	Conact.scr
3316	Conact.scr
3384	Conact.scr
3600	Conact.scr
3640	Conact.scr
3704	Conact.scr
3888	Conact.scr
3904	Conact.scr
4000	Conact.scr
3124	Conact.scr
3324	Conact.scr
2632	Conact.scr
3652	Conact.scr
3864	Conact.scr
3992	Conact.scr
3124	Conact.scr
3988	Conact.scr

Loads dropped DLL 62 IoCs

pid	Process
1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
3000	Conact.scr
3000	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
3036	Conact.scr
3036	Conact.scr
884	Conact.scr
884	Conact.scr
2664	svchost.exe
2664	svchost.exe
1068	Conact.scr
1068	Conact.scr
2664	svchost.exe
2664	svchost.exe
1932	Conact.scr
1932	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2392	Conact.scr
2392	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
1172	Conact.scr
1172	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
1464	Conact.scr
1464	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2772	Conact.scr
2772	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2636	Conact.scr
2636	Conact.scr
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe
2664	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2664	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	30
PID 1892 wrote to memory of 2664	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	30
PID 1892 wrote to memory of 2664	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	30
PID 1892 wrote to memory of 2664	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	30
PID 1892 wrote to memory of 2664	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	30
PID 1892 wrote to memory of 2408	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	31
PID 1892 wrote to memory of 2408	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	31
PID 1892 wrote to memory of 2408	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	31
PID 1892 wrote to memory of 2408	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	31
PID 1892 wrote to memory of 2420	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	32
PID 1892 wrote to memory of 2420	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	32
PID 1892 wrote to memory of 2420	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	32
PID 1892 wrote to memory of 2420	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	32
PID 1892 wrote to memory of 2420	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	32
PID 1892 wrote to memory of 2408	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	31
PID 1892 wrote to memory of 2956	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2956	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2956	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2956	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2956	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	33
PID 1892 wrote to memory of 2984	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2984	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2984	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2984	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2984	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	34
PID 1892 wrote to memory of 2940	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	35
PID 1892 wrote to memory of 2940	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	35
PID 1892 wrote to memory of 2940	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	35
PID 1892 wrote to memory of 2940	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	35
PID 1892 wrote to memory of 2940	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	35
PID 1892 wrote to memory of 2988	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	36
PID 1892 wrote to memory of 2988	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	36
PID 1892 wrote to memory of 2988	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	36
PID 1892 wrote to memory of 2988	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	36
PID 1892 wrote to memory of 2988	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	36
PID 1892 wrote to memory of 2840	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	37
PID 1892 wrote to memory of 2840	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	37
PID 1892 wrote to memory of 2840	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	37
PID 1892 wrote to memory of 2840	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	37
PID 1892 wrote to memory of 2840	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	37
PID 1892 wrote to memory of 2848	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	38
PID 1892 wrote to memory of 2848	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	38
PID 1892 wrote to memory of 2848	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	38
PID 1892 wrote to memory of 2848	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	38
PID 1892 wrote to memory of 2848	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	38
PID 1892 wrote to memory of 2060	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	39
PID 1892 wrote to memory of 2060	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	39
PID 1892 wrote to memory of 2060	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	39
PID 1892 wrote to memory of 2060	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	39
PID 1892 wrote to memory of 3000	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	40
PID 1892 wrote to memory of 3000	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	40
PID 1892 wrote to memory of 3000	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	40
PID 1892 wrote to memory of 3000	1892	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	40
PID 3000 wrote to memory of 2852	3000	Conact.scr	41
PID 3000 wrote to memory of 2852	3000	Conact.scr	41
PID 3000 wrote to memory of 2852	3000	Conact.scr	41
PID 3000 wrote to memory of 2852	3000	Conact.scr	41
PID 3000 wrote to memory of 2908	3000	Conact.scr	42
PID 3000 wrote to memory of 2908	3000	Conact.scr	42
PID 3000 wrote to memory of 2908	3000	Conact.scr	42
PID 3000 wrote to memory of 2908	3000	Conact.scr	42
PID 3000 wrote to memory of 2908	3000	Conact.scr	42
PID 3000 wrote to memory of 2852	3000	Conact.scr	41
PID 3000 wrote to memory of 2716	3000	Conact.scr	43

C:\Users\Admin\AppData\Local\Temp\53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2664
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2288
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2444
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:572
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1252
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2104
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2216
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:884
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:824
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:372
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1712
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1692
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1056
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2256
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1388
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1424
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2016
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2140
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2148
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2804
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:804
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1672
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2440
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2752
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2812
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1040
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:912
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:268
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2308
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\system32\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:2180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1976
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2392
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1724
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2212
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2044
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2884
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:736
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2020
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2992
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:924
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1460
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1172
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2436
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2388
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1216
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1968
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:384
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1168
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1516
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1048
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:968
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2348
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2420
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1740
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2624
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1736
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2688
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1700
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2792
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1884
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1248
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2348
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2628
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2736
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1500
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1172
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2340
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1960
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1348
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1540
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1680
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      PID:1572
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2332
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2640
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1556
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2932
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:932
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2392
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2108
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2092
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3128
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3168
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3188
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3204
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3224
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3240
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3260
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3276
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3580
      - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3900
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3176
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3196
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3212
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3232
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3300
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3316
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3368
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3424
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3528
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3876
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3432
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3484
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3512
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3536
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3724
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3752
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3804
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3856
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4068
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3100
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1564
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3296
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3376
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3384
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2644
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3948
    - - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3704
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:3988
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:2632
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3412
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3612
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3992
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4032
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3400
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3084
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2984
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2988
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2840
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2848
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\Conact\Conact.scr
  "C:\Windows\system32\Conact\Conact.scr" /S
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2716
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2748
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2780
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2836
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1316
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
    "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1912
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1660
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Conact.cfg

Filesize
1KB

MD5
742277fec796b4031d1476a3d2dd0462

SHA1
4aa3fea04db173621f264f0e263ac2d970aa2fb3

SHA256
137df737c01679f1cb8e2246d7d3abe8fa2d26c0107f5a37b4371cb266a400a2

SHA512
23e7f286e40a507a1537df79ea94ccb9baa742874b09bfb29aa5cacf45f82b510c93c1d99c00fde8d112d116b5ee24a108724ad518814f926dc2e31674fe4b1a

Download Submit
C:\Windows\SysWOW64\Conact\Conact.scr

Filesize
44KB

MD5
53facfdf8219a139fa7c928c05737ccd

SHA1
265276d5c1cf841690fd0cf40de55507399fa20d

SHA256
e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b

SHA512
042f28b0d80ee0e45b2168f57cbbb55066eaa4d3de3dbbf4bc68baf2e2b3d592299f59720a1edf1313c74a91439798126662da9133e7754b825488cbcad109fc

Download Submit
memory/868-210-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/880-118-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/884-109-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/888-46-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1068-154-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1072-199-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1460-48-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1464-160-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1616-231-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1720-145-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1892-16-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1932-181-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2108-100-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2116-228-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2180-193-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2220-90-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2288-71-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2392-219-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2420-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2424-88-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2664-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2664-7-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2684-122-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2804-163-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2908-26-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2920-172-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3000-36-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3036-83-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3036-196-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads