Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 00:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe
-
Size
372KB
-
MD5
83586f7c20c9b9b83b1f7730d94a7691
-
SHA1
a1dc944bfb4cd671d3efa36692a24501c5b9eb9f
-
SHA256
661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e
-
SHA512
4c3b1b657d69bbe314b55315b59bf1d5b087e315e4b17c0458b968c1b66eb808b7991b16ae4a5278735b1642567e3cc711f54227c75bb28a6166a49c2da2886d
-
SSDEEP
6144:t8dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiS:t2qQx+H2i+8LBNbdypazCXY
Score
10/10
Malware Config
Extracted
Family
remcos
Version
2.4.3 Pro
Botnet
TINo
C2
185.140.53.140:2404
Attributes
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5S9O07
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 43 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Remcos family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 64 IoCs
pid Process 3140 hab.exe 4140 hab.exe 2756 remcos.exe 2676 remcos.exe 2500 hab.exe 404 hab.exe 3408 remcos.exe 3640 remcos.exe 1904 hab.exe 3152 hab.exe 1988 remcos.exe 5016 remcos.exe 3860 hab.exe 3808 hab.exe 3504 remcos.exe 3136 remcos.exe 1672 hab.exe 1852 hab.exe 4884 remcos.exe 3940 remcos.exe 1596 hab.exe 4164 hab.exe 2768 remcos.exe 2384 remcos.exe 2368 hab.exe 3056 hab.exe 32 remcos.exe 5000 remcos.exe 4624 hab.exe 1512 hab.exe 4748 remcos.exe 2520 remcos.exe 2756 hab.exe 3896 hab.exe 1520 remcos.exe 4584 remcos.exe 2512 hab.exe 4652 hab.exe 3056 remcos.exe 4440 remcos.exe 32 hab.exe 4384 hab.exe 4896 remcos.exe 4820 remcos.exe 4892 hab.exe 4748 hab.exe 4884 remcos.exe 2764 remcos.exe 2976 hab.exe 1300 hab.exe 2664 remcos.exe 3512 remcos.exe 3152 hab.exe 1436 hab.exe 1988 remcos.exe 1248 remcos.exe 3668 hab.exe 4280 hab.exe 3144 remcos.exe 2096 remcos.exe 4656 hab.exe 2620 hab.exe 984 remcos.exe 924 remcos.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Modifies WinLogon 2 TTPs 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1352 MicrosoftEdgeUpdate.exe -
Modifies registry class 43 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings hab.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3140 hab.exe 3140 hab.exe 4140 hab.exe 4140 hab.exe 2756 remcos.exe 2756 remcos.exe 2676 remcos.exe 2676 remcos.exe 2500 hab.exe 2500 hab.exe 404 hab.exe 404 hab.exe 3408 remcos.exe 3408 remcos.exe 3640 remcos.exe 3640 remcos.exe 1904 hab.exe 1904 hab.exe 3152 hab.exe 3152 hab.exe 1988 remcos.exe 1988 remcos.exe 5016 remcos.exe 5016 remcos.exe 3860 hab.exe 3860 hab.exe 3808 hab.exe 3808 hab.exe 3504 remcos.exe 3504 remcos.exe 3136 remcos.exe 3136 remcos.exe 1672 hab.exe 1672 hab.exe 1852 hab.exe 1852 hab.exe 4884 remcos.exe 4884 remcos.exe 3940 remcos.exe 3940 remcos.exe 1596 hab.exe 1596 hab.exe 4164 hab.exe 4164 hab.exe 2768 remcos.exe 2768 remcos.exe 2384 remcos.exe 2384 remcos.exe 2368 hab.exe 2368 hab.exe 3056 hab.exe 3056 hab.exe 32 remcos.exe 32 remcos.exe 5000 remcos.exe 5000 remcos.exe 4624 hab.exe 4624 hab.exe 1512 hab.exe 1512 hab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3140 hab.exe 3140 hab.exe 4140 hab.exe 4140 hab.exe 2756 remcos.exe 2756 remcos.exe 2676 remcos.exe 2676 remcos.exe 2500 hab.exe 2500 hab.exe 404 hab.exe 404 hab.exe 3408 remcos.exe 3408 remcos.exe 3640 remcos.exe 3640 remcos.exe 1904 hab.exe 1904 hab.exe 3152 hab.exe 3152 hab.exe 1988 remcos.exe 1988 remcos.exe 5016 remcos.exe 5016 remcos.exe 3860 hab.exe 3860 hab.exe 3808 hab.exe 3808 hab.exe 3504 remcos.exe 3504 remcos.exe 3136 remcos.exe 3136 remcos.exe 1672 hab.exe 1672 hab.exe 1852 hab.exe 1852 hab.exe 4884 remcos.exe 4884 remcos.exe 3940 remcos.exe 3940 remcos.exe 1596 hab.exe 1596 hab.exe 4164 hab.exe 4164 hab.exe 2768 remcos.exe 2768 remcos.exe 2384 remcos.exe 2384 remcos.exe 2368 hab.exe 2368 hab.exe 3056 hab.exe 3056 hab.exe 32 remcos.exe 32 remcos.exe 5000 remcos.exe 5000 remcos.exe 4624 hab.exe 4624 hab.exe 1512 hab.exe 1512 hab.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 3140 hab.exe 4140 hab.exe 2756 remcos.exe 2676 remcos.exe 2500 hab.exe 404 hab.exe 3408 remcos.exe 3640 remcos.exe 1904 hab.exe 3152 hab.exe 1988 remcos.exe 5016 remcos.exe 3860 hab.exe 3808 hab.exe 3504 remcos.exe 3136 remcos.exe 1672 hab.exe 1852 hab.exe 4884 remcos.exe 3940 remcos.exe 1596 hab.exe 4164 hab.exe 2768 remcos.exe 2384 remcos.exe 2368 hab.exe 3056 hab.exe 32 remcos.exe 5000 remcos.exe 4624 hab.exe 1512 hab.exe 4748 remcos.exe 2520 remcos.exe 2756 hab.exe 3896 hab.exe 1520 remcos.exe 4584 remcos.exe 2512 hab.exe 4652 hab.exe 3056 remcos.exe 4440 remcos.exe 32 hab.exe 4384 hab.exe 4896 remcos.exe 4820 remcos.exe 4892 hab.exe 4748 hab.exe 4884 remcos.exe 2764 remcos.exe 2976 hab.exe 1300 hab.exe 2664 remcos.exe 3512 remcos.exe 3152 hab.exe 1436 hab.exe 1988 remcos.exe 1248 remcos.exe 3668 hab.exe 4280 hab.exe 3144 remcos.exe 2096 remcos.exe 4656 hab.exe 2620 hab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 3544 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 88 PID 1920 wrote to memory of 3544 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 88 PID 1920 wrote to memory of 3544 1920 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 88 PID 3544 wrote to memory of 3140 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 91 PID 3544 wrote to memory of 3140 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 91 PID 3544 wrote to memory of 3140 3544 661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe 91 PID 3140 wrote to memory of 4140 3140 hab.exe 92 PID 3140 wrote to memory of 4140 3140 hab.exe 92 PID 3140 wrote to memory of 4140 3140 hab.exe 92 PID 4140 wrote to memory of 3380 4140 hab.exe 93 PID 4140 wrote to memory of 3380 4140 hab.exe 93 PID 4140 wrote to memory of 3380 4140 hab.exe 93 PID 3380 wrote to memory of 1028 3380 WScript.exe 94 PID 3380 wrote to memory of 1028 3380 WScript.exe 94 PID 3380 wrote to memory of 1028 3380 WScript.exe 94 PID 1028 wrote to memory of 2756 1028 cmd.exe 96 PID 1028 wrote to memory of 2756 1028 cmd.exe 96 PID 1028 wrote to memory of 2756 1028 cmd.exe 96 PID 2756 wrote to memory of 2676 2756 remcos.exe 97 PID 2756 wrote to memory of 2676 2756 remcos.exe 97 PID 2756 wrote to memory of 2676 2756 remcos.exe 97 PID 2676 wrote to memory of 2500 2676 remcos.exe 98 PID 2676 wrote to memory of 2500 2676 remcos.exe 98 PID 2676 wrote to memory of 2500 2676 remcos.exe 98 PID 2500 wrote to memory of 404 2500 hab.exe 99 PID 2500 wrote to memory of 404 2500 hab.exe 99 PID 2500 wrote to memory of 404 2500 hab.exe 99 PID 404 wrote to memory of 2924 404 hab.exe 100 PID 404 wrote to memory of 2924 404 hab.exe 100 PID 404 wrote to memory of 2924 404 hab.exe 100 PID 2924 wrote to memory of 4196 2924 WScript.exe 101 PID 2924 wrote to memory of 4196 2924 WScript.exe 101 PID 2924 wrote to memory of 4196 2924 WScript.exe 101 PID 4196 wrote to memory of 3408 4196 cmd.exe 103 PID 4196 wrote to memory of 3408 4196 cmd.exe 103 PID 4196 wrote to memory of 3408 4196 cmd.exe 103 PID 3408 wrote to memory of 3640 3408 remcos.exe 104 PID 3408 wrote to memory of 3640 3408 remcos.exe 104 PID 3408 wrote to memory of 3640 3408 remcos.exe 104 PID 3640 wrote to memory of 1904 3640 remcos.exe 105 PID 3640 wrote to memory of 1904 3640 remcos.exe 105 PID 3640 wrote to memory of 1904 3640 remcos.exe 105 PID 1904 wrote to memory of 3152 1904 hab.exe 106 PID 1904 wrote to memory of 3152 1904 hab.exe 106 PID 1904 wrote to memory of 3152 1904 hab.exe 106 PID 3152 wrote to memory of 2324 3152 hab.exe 107 PID 3152 wrote to memory of 2324 3152 hab.exe 107 PID 3152 wrote to memory of 2324 3152 hab.exe 107 PID 2324 wrote to memory of 2984 2324 WScript.exe 108 PID 2324 wrote to memory of 2984 2324 WScript.exe 108 PID 2324 wrote to memory of 2984 2324 WScript.exe 108 PID 2984 wrote to memory of 1988 2984 cmd.exe 110 PID 2984 wrote to memory of 1988 2984 cmd.exe 110 PID 2984 wrote to memory of 1988 2984 cmd.exe 110 PID 1988 wrote to memory of 5016 1988 remcos.exe 111 PID 1988 wrote to memory of 5016 1988 remcos.exe 111 PID 1988 wrote to memory of 5016 1988 remcos.exe 111 PID 5016 wrote to memory of 3860 5016 remcos.exe 112 PID 5016 wrote to memory of 3860 5016 remcos.exe 112 PID 5016 wrote to memory of 3860 5016 remcos.exe 112 PID 3860 wrote to memory of 3808 3860 hab.exe 113 PID 3860 wrote to memory of 3808 3860 hab.exe 113 PID 3860 wrote to memory of 3808 3860 hab.exe 113 PID 3808 wrote to memory of 316 3808 hab.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe"C:\Users\Admin\AppData\Local\Temp\661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe"C:\Users\Admin\AppData\Local\Temp\661ba9a0e59115d686fa353b7d71fc415c19f4f709562beb7bc271eddc9ff91e.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"21⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"23⤵
- Checks computer location settings
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"24⤵PID:668
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"29⤵PID:516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"30⤵PID:3628
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"35⤵PID:2116
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"36⤵PID:1984
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"41⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"42⤵PID:3860
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe43⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:32 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"47⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"48⤵PID:3428
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4748 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"53⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"54⤵PID:2116
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"59⤵
- Checks computer location settings
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"60⤵PID:3792
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3056 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:32 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"65⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"66⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe67⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4896 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe68⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"69⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"71⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"72⤵PID:2260
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe73⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"75⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"76⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1300 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"77⤵PID:540
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"78⤵
- System Location Discovery: System Language Discovery
PID:3312 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:2116
-
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe80⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"81⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"82⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1436 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"83⤵
- Checks computer location settings
PID:5084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"84⤵PID:3056
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe86⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"87⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"88⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"89⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"90⤵PID:4136
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe91⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3144 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe92⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"93⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"94⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"95⤵PID:1752
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"96⤵PID:4684
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe97⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe98⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:924 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"99⤵
- Adds Run key to start application
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"100⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"101⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"102⤵
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe103⤵
- Drops file in Windows directory
PID:3312 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe104⤵
- Checks computer location settings
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"105⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"106⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"107⤵PID:3384
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"108⤵PID:3208
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe109⤵PID:3056
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe110⤵
- Checks computer location settings
PID:100 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"111⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"112⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"113⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"114⤵PID:2320
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe115⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe116⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"117⤵
- Adds Run key to start application
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"119⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"120⤵
- System Location Discovery: System Language Discovery
PID:4196 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-