xtremerat | e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Size

44KB
MD5

53facfdf8219a139fa7c928c05737ccd
SHA1

265276d5c1cf841690fd0cf40de55507399fa20d
SHA256

e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b
SHA512

042f28b0d80ee0e45b2168f57cbbb55066eaa4d3de3dbbf4bc68baf2e2b3d592299f59720a1edf1313c74a91439798126662da9133e7754b825488cbcad109fc
SSDEEP

768:rBr+tjFqTPkAlfztB1lr6an3smTA8uvm2DfOTwYPIFzocja:FyRUHlrL1lr6an3TLuvm2buQVo0a

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

vip.no-ip.org

Signatures

Detect XtremeRAT payload 60 IoCs

resource	yara_rule
behavioral2/memory/4884-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/files/0x000a000000023b8d-7.dat	family_xtremerat
behavioral2/memory/1028-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2016-10-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4016-19-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4600-29-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3692-32-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4580-41-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3688-46-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2404-50-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3720-58-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/224-72-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1932-73-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4332-75-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2248-83-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1160-91-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2760-99-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1628-100-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2224-111-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3168-113-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2156-122-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/804-124-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4156-129-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/2780-138-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/840-142-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1920-144-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1368-150-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1208-158-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1548-162-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4156-164-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3484-172-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3656-174-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4180-183-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5280-190-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5128-191-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5216-196-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5440-199-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5532-202-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5588-203-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5856-208-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5924-211-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5972-214-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/636-219-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5240-220-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5416-221-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5612-228-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5916-235-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/6036-242-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5244-246-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5492-245-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5948-247-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3000-252-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5140-257-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3060-260-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3412-261-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4740-268-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4044-269-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5544-276-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/3604-277-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/1768-280-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\system32\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr restart"	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{53Y046DH-P808-382C-K217-H72748Y5P4MS}	Conact.scr

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Conact.scr

Deletes itself 1 IoCs

pid	Process
1028	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3692	Conact.scr
4580	Conact.scr
3688	Conact.scr
2404	Conact.scr
3720	Conact.scr
4332	Conact.scr
2248	Conact.scr
224	Conact.scr
1160	Conact.scr
2760	Conact.scr
3168	Conact.scr
804	Conact.scr
2156	Conact.scr
4156	Conact.scr
2780	Conact.scr
840	Conact.scr
1920	Conact.scr
1368	Conact.scr
1208	Conact.scr
4156	Conact.scr
1548	Conact.scr
3656	Conact.scr
4180	Conact.scr
5128	Conact.scr
5216	Conact.scr
5440	Conact.scr
5532	Conact.scr
5588	Conact.scr
5856	Conact.scr
5924	Conact.scr
5972	Conact.scr
636	Conact.scr
5416	Conact.scr
5240	Conact.scr
5612	Conact.scr
5916	Conact.scr
6036	Conact.scr
5948	Conact.scr
5244	Conact.scr
3000	Conact.scr
5140	Conact.scr
3412	Conact.scr
4740	Conact.scr
3060	Conact.scr
3604	Conact.scr
1768	Conact.scr
6560	Conact.scr
6636	Conact.scr
7028	Conact.scr
7140	Conact.scr
3820	Conact.scr
3412	Conact.scr
2224	Conact.scr
1256	Conact.scr
6452	Conact.scr
6864	Conact.scr
6912	Conact.scr
7100	Conact.scr
6244	Conact.scr
664	Conact.scr
6688	Conact.scr
6264	Conact.scr
3808	Conact.scr
6312	Conact.scr

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Conact\\Conact.scr"	Conact.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Conact\\Conact.scr"	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	explorer.exe
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File created	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\	Conact.scr
File opened for modification	C:\Windows\SysWOW64\Conact\Conact.scr	Conact.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conact.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4884	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	84
PID 2016 wrote to memory of 4884	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	84
PID 2016 wrote to memory of 4884	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	84
PID 2016 wrote to memory of 4884	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	84
PID 2016 wrote to memory of 3620	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	86
PID 2016 wrote to memory of 3620	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	86
PID 2016 wrote to memory of 1028	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	89
PID 2016 wrote to memory of 1028	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	89
PID 2016 wrote to memory of 1028	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	89
PID 2016 wrote to memory of 1028	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	89
PID 2016 wrote to memory of 3620	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	86
PID 2016 wrote to memory of 892	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	90
PID 2016 wrote to memory of 892	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	90
PID 2016 wrote to memory of 892	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	90
PID 2016 wrote to memory of 4896	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	91
PID 2016 wrote to memory of 4896	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	91
PID 2016 wrote to memory of 4896	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	91
PID 2016 wrote to memory of 3732	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	94
PID 2016 wrote to memory of 3732	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	94
PID 2016 wrote to memory of 3732	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	94
PID 2016 wrote to memory of 3228	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	96
PID 2016 wrote to memory of 3228	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	96
PID 2016 wrote to memory of 3228	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	96
PID 2016 wrote to memory of 2668	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	98
PID 2016 wrote to memory of 2668	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	98
PID 2016 wrote to memory of 2668	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	98
PID 2016 wrote to memory of 536	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	99
PID 2016 wrote to memory of 536	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	99
PID 2016 wrote to memory of 536	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	99
PID 2016 wrote to memory of 3104	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	100
PID 2016 wrote to memory of 3104	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	100
PID 2016 wrote to memory of 3692	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	101
PID 2016 wrote to memory of 3692	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	101
PID 2016 wrote to memory of 3692	2016	53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe	101
PID 3692 wrote to memory of 1880	3692	Conact.scr	102
PID 3692 wrote to memory of 1880	3692	Conact.scr	102
PID 3692 wrote to memory of 4016	3692	Conact.scr	103
PID 3692 wrote to memory of 4016	3692	Conact.scr	103
PID 3692 wrote to memory of 4016	3692	Conact.scr	103
PID 3692 wrote to memory of 4016	3692	Conact.scr	103
PID 3692 wrote to memory of 1880	3692	Conact.scr	102
PID 3692 wrote to memory of 3356	3692	Conact.scr	105
PID 3692 wrote to memory of 3356	3692	Conact.scr	105
PID 3692 wrote to memory of 3356	3692	Conact.scr	105
PID 3692 wrote to memory of 4176	3692	Conact.scr	106
PID 3692 wrote to memory of 4176	3692	Conact.scr	106
PID 3692 wrote to memory of 4176	3692	Conact.scr	106
PID 3692 wrote to memory of 1424	3692	Conact.scr	107
PID 3692 wrote to memory of 1424	3692	Conact.scr	107
PID 3692 wrote to memory of 1424	3692	Conact.scr	107
PID 3692 wrote to memory of 3944	3692	Conact.scr	108
PID 3692 wrote to memory of 3944	3692	Conact.scr	108
PID 3692 wrote to memory of 3944	3692	Conact.scr	108
PID 3692 wrote to memory of 3516	3692	Conact.scr	110
PID 3692 wrote to memory of 3516	3692	Conact.scr	110
PID 3692 wrote to memory of 3516	3692	Conact.scr	110
PID 3692 wrote to memory of 1136	3692	Conact.scr	111
PID 3692 wrote to memory of 1136	3692	Conact.scr	111
PID 3692 wrote to memory of 1136	3692	Conact.scr	111
PID 3692 wrote to memory of 2424	3692	Conact.scr	112
PID 3692 wrote to memory of 2424	3692	Conact.scr	112
PID 4884 wrote to memory of 4580	4884	svchost.exe	113
PID 4884 wrote to memory of 4580	4884	svchost.exe	113
PID 4884 wrote to memory of 4580	4884	svchost.exe	113

C:\Users\Admin\AppData\Local\Temp\53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53facfdf8219a139fa7c928c05737ccd_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5072
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2120
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4680
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4528
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5108
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:376
      - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4600
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4920
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4488
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5504
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4468
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4724
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:5588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5844
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5876
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3352
    - - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5892
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6124
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:5240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5584
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5440
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:6036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Executes dropped EXE
      PID:5244
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6000
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:736
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6064
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5580
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5300
    - - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1756
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6520
      - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:7028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7096
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5912
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6552
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6692
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7048
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\system32\Conact\Conact.scr" /S
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\SysWOW64\Conact\Conact.scr" /S
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        8⤵
        Executes dropped EXE
        
        PID:1256
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6508
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:6452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6840
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6772
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1696
      - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        7⤵
        Executes dropped EXE
        
        PID:6688
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    PID:6912
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    PID:6244
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6868
  - - C:\Windows\SysWOW64\Conact\Conact.scr
      "C:\Windows\SysWOW64\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:6264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6204
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:7136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:6716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2344
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    PID:3808
- - C:\Windows\SysWOW64\Conact\Conact.scr
    "C:\Windows\system32\Conact\Conact.scr" /S
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:6312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6912
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:6576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:6784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3620
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3104
- C:\Windows\SysWOW64\Conact\Conact.scr
  "C:\Windows\system32\Conact\Conact.scr" /S
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2424
- - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
    "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5000
  - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
      "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:884
    - - C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2528
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3776
      - C:\Windows\SysWOW64\Conact\Conact.scr
        
        "C:\Windows\system32\Conact\Conact.scr" /S
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Conact\Conact.scr
        
        "C:\Users\Admin\AppData\Roaming\Conact\Conact.scr" /S
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Conact.cfg

Filesize
1KB

MD5
742277fec796b4031d1476a3d2dd0462

SHA1
4aa3fea04db173621f264f0e263ac2d970aa2fb3

SHA256
137df737c01679f1cb8e2246d7d3abe8fa2d26c0107f5a37b4371cb266a400a2

SHA512
23e7f286e40a507a1537df79ea94ccb9baa742874b09bfb29aa5cacf45f82b510c93c1d99c00fde8d112d116b5ee24a108724ad518814f926dc2e31674fe4b1a

Download Submit
C:\Windows\SysWOW64\Conact\Conact.scr

Filesize
44KB

MD5
53facfdf8219a139fa7c928c05737ccd

SHA1
265276d5c1cf841690fd0cf40de55507399fa20d

SHA256
e19b44b2996629c059329bb07297cf98b41ade8439add0c2187a93d6eab0c72b

SHA512
042f28b0d80ee0e45b2168f57cbbb55066eaa4d3de3dbbf4bc68baf2e2b3d592299f59720a1edf1313c74a91439798126662da9133e7754b825488cbcad109fc

Download Submit
memory/224-72-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-219-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/804-124-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/840-142-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1028-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1160-91-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1208-158-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1368-150-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1548-162-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1628-100-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1768-280-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1920-144-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1932-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2016-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2156-122-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2224-111-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2248-83-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2404-50-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2760-99-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2780-138-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3000-252-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3060-260-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3168-113-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3412-261-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3484-172-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3604-277-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3656-174-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3688-46-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3692-32-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/3720-58-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4016-19-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4044-269-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4156-129-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4156-164-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4180-183-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4332-75-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4580-41-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4600-29-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4740-268-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4884-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5128-191-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5140-257-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5216-196-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5240-220-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5244-246-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5280-190-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5416-221-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5440-199-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5492-245-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5532-202-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5544-276-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5588-203-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5612-228-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5856-208-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5916-235-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5924-211-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5948-247-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5972-214-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/6036-242-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads