Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
17 signatures
120 seconds
General
-
Target
5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe
-
Size
372KB
-
MD5
9db9dde201b0c8390fab040b4fcdcde0
-
SHA1
63f0a0039d71b9ec37ade5c4c8f3aff75da38d36
-
SHA256
5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9
-
SHA512
9d4abfcdc2f72ceb5c87afb8f923f981aec6efa93f62c263b2232daa81b8282633484496f65d94361e76312225a7325bac9df966d07477e85e509fb071d03693
-
SSDEEP
6144:tpdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhia:tLqQx+H2i+8LBNbdypazCXY
Score
10/10
Malware Config
Extracted
Family
remcos
Version
2.4.3 Pro
Botnet
TINo
C2
185.140.53.140:2404
Attributes
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5S9O07
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Remcos family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 26 4700 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation remcos.exe -
Executes dropped EXE 64 IoCs
pid Process 2452 hab.exe 3240 hab.exe 2056 remcos.exe 2040 remcos.exe 4224 hab.exe 740 hab.exe 3728 remcos.exe 1868 remcos.exe 3896 hab.exe 3444 hab.exe 1076 remcos.exe 4784 remcos.exe 1396 hab.exe 4072 hab.exe 2648 remcos.exe 4540 remcos.exe 4020 hab.exe 3212 hab.exe 4204 remcos.exe 1936 remcos.exe 4424 hab.exe 4332 hab.exe 3188 remcos.exe 3268 remcos.exe 2176 hab.exe 4000 hab.exe 3828 remcos.exe 860 remcos.exe 4092 hab.exe 4660 hab.exe 3540 remcos.exe 1284 remcos.exe 4816 hab.exe 4720 hab.exe 4288 remcos.exe 3692 remcos.exe 424 hab.exe 3424 hab.exe 4460 remcos.exe 2068 remcos.exe 2404 hab.exe 3884 hab.exe 1652 remcos.exe 3908 remcos.exe 4376 hab.exe 1996 hab.exe 1528 remcos.exe 5064 remcos.exe 4308 hab.exe 2648 hab.exe 4288 remcos.exe 892 remcos.exe 4408 hab.exe 3948 hab.exe 4460 remcos.exe 4248 remcos.exe 4124 hab.exe 2160 hab.exe 1376 remcos.exe 4132 remcos.exe 2180 hab.exe 1916 hab.exe 3196 remcos.exe 768 remcos.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe -
Modifies WinLogon 2 TTPs 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3552 MicrosoftEdgeUpdate.exe -
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings hab.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 2452 hab.exe 2452 hab.exe 3240 hab.exe 3240 hab.exe 2056 remcos.exe 2056 remcos.exe 2040 remcos.exe 2040 remcos.exe 4224 hab.exe 4224 hab.exe 740 hab.exe 740 hab.exe 3728 remcos.exe 3728 remcos.exe 1868 remcos.exe 1868 remcos.exe 3896 hab.exe 3896 hab.exe 3444 hab.exe 3444 hab.exe 1076 remcos.exe 1076 remcos.exe 4784 remcos.exe 4784 remcos.exe 1396 hab.exe 1396 hab.exe 4072 hab.exe 4072 hab.exe 2648 remcos.exe 2648 remcos.exe 4540 remcos.exe 4540 remcos.exe 4020 hab.exe 4020 hab.exe 3212 hab.exe 3212 hab.exe 4204 remcos.exe 4204 remcos.exe 1936 remcos.exe 1936 remcos.exe 4424 hab.exe 4424 hab.exe 4332 hab.exe 4332 hab.exe 3188 remcos.exe 3188 remcos.exe 3268 remcos.exe 3268 remcos.exe 2176 hab.exe 2176 hab.exe 4000 hab.exe 4000 hab.exe 3828 remcos.exe 3828 remcos.exe 860 remcos.exe 860 remcos.exe 4092 hab.exe 4092 hab.exe 4660 hab.exe 4660 hab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 2452 hab.exe 2452 hab.exe 3240 hab.exe 3240 hab.exe 2056 remcos.exe 2056 remcos.exe 2040 remcos.exe 2040 remcos.exe 4224 hab.exe 4224 hab.exe 740 hab.exe 740 hab.exe 3728 remcos.exe 3728 remcos.exe 1868 remcos.exe 1868 remcos.exe 3896 hab.exe 3896 hab.exe 3444 hab.exe 3444 hab.exe 1076 remcos.exe 1076 remcos.exe 4784 remcos.exe 4784 remcos.exe 1396 hab.exe 1396 hab.exe 4072 hab.exe 4072 hab.exe 2648 remcos.exe 2648 remcos.exe 4540 remcos.exe 4540 remcos.exe 4020 hab.exe 4020 hab.exe 3212 hab.exe 3212 hab.exe 4204 remcos.exe 4204 remcos.exe 1936 remcos.exe 1936 remcos.exe 4424 hab.exe 4424 hab.exe 4332 hab.exe 4332 hab.exe 3188 remcos.exe 3188 remcos.exe 3268 remcos.exe 3268 remcos.exe 2176 hab.exe 2176 hab.exe 4000 hab.exe 4000 hab.exe 3828 remcos.exe 3828 remcos.exe 860 remcos.exe 860 remcos.exe 4092 hab.exe 4092 hab.exe 4660 hab.exe 4660 hab.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 2452 hab.exe 3240 hab.exe 2056 remcos.exe 2040 remcos.exe 4224 hab.exe 740 hab.exe 3728 remcos.exe 1868 remcos.exe 3896 hab.exe 3444 hab.exe 1076 remcos.exe 4784 remcos.exe 1396 hab.exe 4072 hab.exe 2648 remcos.exe 4540 remcos.exe 4020 hab.exe 3212 hab.exe 4204 remcos.exe 1936 remcos.exe 4424 hab.exe 4332 hab.exe 3188 remcos.exe 3268 remcos.exe 2176 hab.exe 4000 hab.exe 3828 remcos.exe 860 remcos.exe 4092 hab.exe 4660 hab.exe 3540 remcos.exe 1284 remcos.exe 4816 hab.exe 4720 hab.exe 4288 remcos.exe 3692 remcos.exe 424 hab.exe 3424 hab.exe 4460 remcos.exe 2068 remcos.exe 2404 hab.exe 3884 hab.exe 1652 remcos.exe 3908 remcos.exe 4376 hab.exe 1996 hab.exe 1528 remcos.exe 5064 remcos.exe 4308 hab.exe 2648 hab.exe 4288 remcos.exe 892 remcos.exe 4408 hab.exe 3948 hab.exe 4460 remcos.exe 4248 remcos.exe 4124 hab.exe 2160 hab.exe 1376 remcos.exe 4132 remcos.exe 2180 hab.exe 1916 hab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4408 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 85 PID 4240 wrote to memory of 4408 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 85 PID 4240 wrote to memory of 4408 4240 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 85 PID 4408 wrote to memory of 2452 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 86 PID 4408 wrote to memory of 2452 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 86 PID 4408 wrote to memory of 2452 4408 5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe 86 PID 2452 wrote to memory of 3240 2452 hab.exe 87 PID 2452 wrote to memory of 3240 2452 hab.exe 87 PID 2452 wrote to memory of 3240 2452 hab.exe 87 PID 3240 wrote to memory of 2824 3240 hab.exe 88 PID 3240 wrote to memory of 2824 3240 hab.exe 88 PID 3240 wrote to memory of 2824 3240 hab.exe 88 PID 2824 wrote to memory of 2360 2824 WScript.exe 89 PID 2824 wrote to memory of 2360 2824 WScript.exe 89 PID 2824 wrote to memory of 2360 2824 WScript.exe 89 PID 2360 wrote to memory of 2056 2360 cmd.exe 91 PID 2360 wrote to memory of 2056 2360 cmd.exe 91 PID 2360 wrote to memory of 2056 2360 cmd.exe 91 PID 2056 wrote to memory of 2040 2056 remcos.exe 92 PID 2056 wrote to memory of 2040 2056 remcos.exe 92 PID 2056 wrote to memory of 2040 2056 remcos.exe 92 PID 2040 wrote to memory of 4224 2040 remcos.exe 93 PID 2040 wrote to memory of 4224 2040 remcos.exe 93 PID 2040 wrote to memory of 4224 2040 remcos.exe 93 PID 4224 wrote to memory of 740 4224 hab.exe 94 PID 4224 wrote to memory of 740 4224 hab.exe 94 PID 4224 wrote to memory of 740 4224 hab.exe 94 PID 740 wrote to memory of 5024 740 hab.exe 95 PID 740 wrote to memory of 5024 740 hab.exe 95 PID 740 wrote to memory of 5024 740 hab.exe 95 PID 5024 wrote to memory of 3288 5024 WScript.exe 96 PID 5024 wrote to memory of 3288 5024 WScript.exe 96 PID 5024 wrote to memory of 3288 5024 WScript.exe 96 PID 3288 wrote to memory of 3728 3288 cmd.exe 98 PID 3288 wrote to memory of 3728 3288 cmd.exe 98 PID 3288 wrote to memory of 3728 3288 cmd.exe 98 PID 3728 wrote to memory of 1868 3728 remcos.exe 99 PID 3728 wrote to memory of 1868 3728 remcos.exe 99 PID 3728 wrote to memory of 1868 3728 remcos.exe 99 PID 1868 wrote to memory of 3896 1868 remcos.exe 100 PID 1868 wrote to memory of 3896 1868 remcos.exe 100 PID 1868 wrote to memory of 3896 1868 remcos.exe 100 PID 3896 wrote to memory of 3444 3896 hab.exe 101 PID 3896 wrote to memory of 3444 3896 hab.exe 101 PID 3896 wrote to memory of 3444 3896 hab.exe 101 PID 3444 wrote to memory of 5092 3444 hab.exe 102 PID 3444 wrote to memory of 5092 3444 hab.exe 102 PID 3444 wrote to memory of 5092 3444 hab.exe 102 PID 5092 wrote to memory of 4180 5092 WScript.exe 103 PID 5092 wrote to memory of 4180 5092 WScript.exe 103 PID 5092 wrote to memory of 4180 5092 WScript.exe 103 PID 4180 wrote to memory of 1076 4180 cmd.exe 105 PID 4180 wrote to memory of 1076 4180 cmd.exe 105 PID 4180 wrote to memory of 1076 4180 cmd.exe 105 PID 1076 wrote to memory of 4784 1076 remcos.exe 106 PID 1076 wrote to memory of 4784 1076 remcos.exe 106 PID 1076 wrote to memory of 4784 1076 remcos.exe 106 PID 4784 wrote to memory of 1396 4784 remcos.exe 107 PID 4784 wrote to memory of 1396 4784 remcos.exe 107 PID 4784 wrote to memory of 1396 4784 remcos.exe 107 PID 1396 wrote to memory of 4072 1396 hab.exe 108 PID 1396 wrote to memory of 4072 1396 hab.exe 108 PID 1396 wrote to memory of 4072 1396 hab.exe 108 PID 4072 wrote to memory of 3696 4072 hab.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe"C:\Users\Admin\AppData\Local\Temp\5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe"C:\Users\Admin\AppData\Local\Temp\5b2f7db7f9b1126f9840242568fdbf7957c8400253e9b9809321148304d572e9N.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"15⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"18⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"23⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"24⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe26⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"29⤵
- Checks computer location settings
PID:4568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"30⤵PID:3652
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"35⤵
- Checks computer location settings
PID:4364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"36⤵PID:3884
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe37⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"41⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"42⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe43⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe44⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"47⤵
- Checks computer location settings
PID:4428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"48⤵PID:1448
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3540 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"53⤵
- Checks computer location settings
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"54⤵
- System Location Discovery: System Language Discovery
PID:4108 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:424 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3424 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"59⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"60⤵PID:4036
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe61⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"65⤵
- Checks computer location settings
PID:3716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"66⤵PID:4576
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe67⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe68⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"69⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"71⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"72⤵PID:1380
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe73⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"75⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"76⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"77⤵
- Checks computer location settings
PID:844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"78⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe79⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe80⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"81⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"82⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"83⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"84⤵PID:4424
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe86⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"87⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"88⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"89⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"90⤵PID:4076
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe91⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe92⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"93⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"94⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"95⤵PID:3208
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"96⤵PID:3836
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe97⤵
- Executes dropped EXE
PID:3196 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe98⤵
- Checks computer location settings
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"99⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"100⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"101⤵
- Checks computer location settings
PID:3748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"102⤵PID:2716
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe103⤵
- Drops file in Windows directory
PID:4900 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe104⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"105⤵
- Adds Run key to start application
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"106⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"107⤵
- Checks computer location settings
PID:3212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"108⤵PID:4368
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe109⤵PID:4848
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe110⤵
- Checks computer location settings
PID:804 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"111⤵
- Adds Run key to start application
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"112⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"113⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"114⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe115⤵
- Drops file in Windows directory
PID:3268 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe116⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"117⤵
- Adds Run key to start application
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"119⤵
- Checks computer location settings
PID:1268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"120⤵PID:764
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe121⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-