remcos | ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/02/2025, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
Size

372KB
MD5

6341cf60313faa9883198564c3b63343
SHA1

776e53776723f8bbb63c0c612566f0e9ef8312d2
SHA256

ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315
SHA512

d85672a1609d9f80e52bd941b130602c66d8bc0ee91bcb3edb57612eb222e587acdab4a5032ed248579e5ed61ea74474446f6c8be28be1dc5a52c23f5f87cdf4
SSDEEP

6144:tPdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhi6K:t1qQx+H2i+8LBNbdypazCXY0

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 64 IoCs

pid	Process
3024	hab.exe
1592	hab.exe
2920	remcos.exe
2604	remcos.exe
2636	hab.exe
2656	hab.exe
1244	remcos.exe
2404	remcos.exe
2388	hab.exe
1324	hab.exe
2668	remcos.exe
2276	remcos.exe
1508	hab.exe
1304	hab.exe
2228	remcos.exe
2340	remcos.exe
2676	hab.exe
1628	hab.exe
1588	remcos.exe
2128	remcos.exe
2496	hab.exe
2768	hab.exe
2796	remcos.exe
2788	remcos.exe
2616	hab.exe
2700	hab.exe
1356	remcos.exe
1088	remcos.exe
1684	hab.exe
2040	hab.exe
2000	remcos.exe
1428	remcos.exe
1320	hab.exe
1324	hab.exe
1240	remcos.exe
560	remcos.exe
2276	hab.exe
1740	hab.exe
2216	remcos.exe
2104	remcos.exe
2504	hab.exe
884	hab.exe
1580	remcos.exe
2292	remcos.exe
1704	hab.exe
2128	hab.exe
1868	remcos.exe
2708	remcos.exe
2784	hab.exe
2884	hab.exe
2836	remcos.exe
2576	remcos.exe
1356	hab.exe
2656	hab.exe
840	remcos.exe
1996	remcos.exe
2388	hab.exe
2364	hab.exe
1932	remcos.exe
2436	remcos.exe
2428	hab.exe
1536	hab.exe
328	remcos.exe
2680	remcos.exe

Loads dropped DLL 64 IoCs

pid	Process
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
3024	hab.exe
2812	cmd.exe
2812	cmd.exe
2604	remcos.exe
2604	remcos.exe
2636	hab.exe
2324	cmd.exe
2324	cmd.exe
2404	remcos.exe
2404	remcos.exe
2388	hab.exe
2436	cmd.exe
2436	cmd.exe
2276	remcos.exe
2276	remcos.exe
1508	hab.exe
1620	cmd.exe
1620	cmd.exe
2340	remcos.exe
2340	remcos.exe
2676	hab.exe
1556	cmd.exe
1556	cmd.exe
2128	remcos.exe
2128	remcos.exe
2496	hab.exe
2672	cmd.exe
2672	cmd.exe
2788	remcos.exe
2788	remcos.exe
2616	hab.exe
3040	cmd.exe
3040	cmd.exe
1088	remcos.exe
1088	remcos.exe
1684	hab.exe
2488	cmd.exe
2488	cmd.exe
1428	remcos.exe
1428	remcos.exe
1320	hab.exe
2428	cmd.exe
2428	cmd.exe
560	remcos.exe
560	remcos.exe
2276	hab.exe
1540	cmd.exe
1540	cmd.exe
2104	remcos.exe
2104	remcos.exe
2504	hab.exe
2268	cmd.exe
2268	cmd.exe
2292	remcos.exe
2292	remcos.exe
1704	hab.exe
2688	cmd.exe
2688	cmd.exe
2708	remcos.exe
2708	remcos.exe
2784	hab.exe
2584	cmd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe

Modifies WinLogon 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 2136	2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	30
PID 3024 set thread context of 1592	3024	hab.exe	32
PID 2920 set thread context of 2604	2920	remcos.exe	37
PID 2636 set thread context of 2656	2636	hab.exe	39
PID 1244 set thread context of 2404	1244	remcos.exe	45
PID 2388 set thread context of 1324	2388	hab.exe	47
PID 2668 set thread context of 2276	2668	remcos.exe	52
PID 1508 set thread context of 1304	1508	hab.exe	54
PID 2228 set thread context of 2340	2228	remcos.exe	59
PID 2676 set thread context of 1628	2676	hab.exe	61
PID 1588 set thread context of 2128	1588	remcos.exe	66
PID 2496 set thread context of 2768	2496	hab.exe	68
PID 2796 set thread context of 2788	2796	remcos.exe	73
PID 2616 set thread context of 2700	2616	hab.exe	75
PID 1356 set thread context of 1088	1356	remcos.exe	80
PID 1684 set thread context of 2040	1684	hab.exe	82
PID 2000 set thread context of 1428	2000	remcos.exe	87
PID 1320 set thread context of 1324	1320	hab.exe	89
PID 1240 set thread context of 560	1240	remcos.exe	94
PID 2276 set thread context of 1740	2276	hab.exe	96
PID 2216 set thread context of 2104	2216	remcos.exe	101
PID 2504 set thread context of 884	2504	hab.exe	103
PID 1580 set thread context of 2292	1580	remcos.exe	108
PID 1704 set thread context of 2128	1704	hab.exe	110
PID 1868 set thread context of 2708	1868	remcos.exe	115
PID 2784 set thread context of 2884	2784	hab.exe	117
PID 2836 set thread context of 2576	2836	remcos.exe	122
PID 1356 set thread context of 2656	1356	hab.exe	124
PID 840 set thread context of 1996	840	remcos.exe	129
PID 2388 set thread context of 2364	2388	hab.exe	131
PID 1932 set thread context of 2436	1932	remcos.exe	136
PID 2428 set thread context of 1536	2428	hab.exe	138
PID 328 set thread context of 2680	328	remcos.exe	143
PID 2216 set thread context of 552	2216	hab.exe	145
PID 864 set thread context of 1660	864	remcos.exe	150
PID 1580 set thread context of 1584	1580	hab.exe	152
PID 1560 set thread context of 2296	1560	remcos.exe	157
PID 764 set thread context of 2132	764	hab.exe	159
PID 2604 set thread context of 2760	2604	remcos.exe	164
PID 2592 set thread context of 2644	2592	hab.exe	166
PID 2028 set thread context of 856	2028	remcos.exe	171
PID 2372 set thread context of 1760	2372	hab.exe	173
PID 2364 set thread context of 2888	2364	remcos.exe	178
PID 2864 set thread context of 2236	2864	hab.exe	180
PID 1536 set thread context of 296	1536	remcos.exe	185
PID 1648 set thread context of 680	1648	hab.exe	187
PID 1048 set thread context of 1532	1048	remcos.exe	192
PID 2664 set thread context of 864	2664	hab.exe	194
PID 2496 set thread context of 2128	2496	remcos.exe	199
PID 1884 set thread context of 352	1884	hab.exe	201
PID 2808 set thread context of 2160	2808	remcos.exe	206
PID 2720 set thread context of 2240	2720	hab.exe	208
PID 1356 set thread context of 2020	1356	remcos.exe	213
PID 1528 set thread context of 2028	1528	hab.exe	215
PID 1760 set thread context of 2488	1760	remcos.exe	220
PID 1624 set thread context of 1156	1624	hab.exe	222
PID 2236 set thread context of 1752	2236	remcos.exe	227
PID 1632 set thread context of 2284	1632	hab.exe	229
PID 868 set thread context of 2216	868	remcos.exe	234
PID 2660 set thread context of 1984	2660	hab.exe	236
PID 2256 set thread context of 2972	2256	remcos.exe	241
PID 1588 set thread context of 2480	1588	hab.exe	243
PID 352 set thread context of 764	352	remcos.exe	248
PID 2812 set thread context of 636	2812	hab.exe	250

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
3024	hab.exe
3024	hab.exe
1592	hab.exe
1592	hab.exe
2920	remcos.exe
2920	remcos.exe
2604	remcos.exe
2604	remcos.exe
2636	hab.exe
2636	hab.exe
2656	hab.exe
2656	hab.exe
1244	remcos.exe
1244	remcos.exe
2404	remcos.exe
2404	remcos.exe
2388	hab.exe
2388	hab.exe
1324	hab.exe
1324	hab.exe
2668	remcos.exe
2668	remcos.exe
2276	remcos.exe
2276	remcos.exe
1508	hab.exe
1508	hab.exe
1304	hab.exe
1304	hab.exe
2228	remcos.exe
2228	remcos.exe
2340	remcos.exe
2340	remcos.exe
2676	hab.exe
2676	hab.exe
1628	hab.exe
1628	hab.exe
1588	remcos.exe
1588	remcos.exe
2128	remcos.exe
2128	remcos.exe
2496	hab.exe
2496	hab.exe
2768	hab.exe
2768	hab.exe
2796	remcos.exe
2796	remcos.exe
2788	remcos.exe
2788	remcos.exe
2616	hab.exe
2616	hab.exe
2700	hab.exe
2700	hab.exe
1356	remcos.exe
1356	remcos.exe
1088	remcos.exe
1088	remcos.exe
1684	hab.exe
1684	hab.exe
2040	hab.exe
2040	hab.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
3024	hab.exe
3024	hab.exe
1592	hab.exe
1592	hab.exe
2920	remcos.exe
2920	remcos.exe
2604	remcos.exe
2604	remcos.exe
2636	hab.exe
2636	hab.exe
2656	hab.exe
2656	hab.exe
1244	remcos.exe
1244	remcos.exe
2404	remcos.exe
2404	remcos.exe
2388	hab.exe
2388	hab.exe
1324	hab.exe
1324	hab.exe
2668	remcos.exe
2668	remcos.exe
2276	remcos.exe
2276	remcos.exe
1508	hab.exe
1508	hab.exe
1304	hab.exe
1304	hab.exe
2228	remcos.exe
2228	remcos.exe
2340	remcos.exe
2340	remcos.exe
2676	hab.exe
2676	hab.exe
1628	hab.exe
1628	hab.exe
1588	remcos.exe
1588	remcos.exe
2128	remcos.exe
2128	remcos.exe
2496	hab.exe
2496	hab.exe
2768	hab.exe
2768	hab.exe
2796	remcos.exe
2796	remcos.exe
2788	remcos.exe
2788	remcos.exe
2616	hab.exe
2616	hab.exe
2700	hab.exe
2700	hab.exe
1356	remcos.exe
1356	remcos.exe
1088	remcos.exe
1088	remcos.exe
1684	hab.exe
1684	hab.exe
2040	hab.exe
2040	hab.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
3024	hab.exe
1592	hab.exe
2920	remcos.exe
2604	remcos.exe
2636	hab.exe
2656	hab.exe
1244	remcos.exe
2404	remcos.exe
2388	hab.exe
1324	hab.exe
2668	remcos.exe
2276	remcos.exe
1508	hab.exe
1304	hab.exe
2228	remcos.exe
2340	remcos.exe
2676	hab.exe
1628	hab.exe
1588	remcos.exe
2128	remcos.exe
2496	hab.exe
2768	hab.exe
2796	remcos.exe
2788	remcos.exe
2616	hab.exe
2700	hab.exe
1356	remcos.exe
1088	remcos.exe
1684	hab.exe
2040	hab.exe
2000	remcos.exe
1428	remcos.exe
1320	hab.exe
1324	hab.exe
1240	remcos.exe
560	remcos.exe
2276	hab.exe
1740	hab.exe
2216	remcos.exe
2104	remcos.exe
2504	hab.exe
884	hab.exe
1580	remcos.exe
2292	remcos.exe
1704	hab.exe
2128	hab.exe
1868	remcos.exe
2708	remcos.exe
2784	hab.exe
2884	hab.exe
2836	remcos.exe
2576	remcos.exe
1356	hab.exe
2656	hab.exe
840	remcos.exe
1996	remcos.exe
2388	hab.exe
2364	hab.exe
1932	remcos.exe
2436	remcos.exe
2428	hab.exe
1536	hab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2136	2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	30
PID 2260 wrote to memory of 2136	2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	30
PID 2260 wrote to memory of 2136	2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	30
PID 2260 wrote to memory of 2136	2260	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	30
PID 2136 wrote to memory of 3024	2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	31
PID 2136 wrote to memory of 3024	2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	31
PID 2136 wrote to memory of 3024	2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	31
PID 2136 wrote to memory of 3024	2136	ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe	31
PID 3024 wrote to memory of 1592	3024	hab.exe	32
PID 3024 wrote to memory of 1592	3024	hab.exe	32
PID 3024 wrote to memory of 1592	3024	hab.exe	32
PID 3024 wrote to memory of 1592	3024	hab.exe	32
PID 1592 wrote to memory of 2736	1592	hab.exe	33
PID 1592 wrote to memory of 2736	1592	hab.exe	33
PID 1592 wrote to memory of 2736	1592	hab.exe	33
PID 1592 wrote to memory of 2736	1592	hab.exe	33
PID 2736 wrote to memory of 2812	2736	WScript.exe	34
PID 2736 wrote to memory of 2812	2736	WScript.exe	34
PID 2736 wrote to memory of 2812	2736	WScript.exe	34
PID 2736 wrote to memory of 2812	2736	WScript.exe	34
PID 2812 wrote to memory of 2920	2812	cmd.exe	36
PID 2812 wrote to memory of 2920	2812	cmd.exe	36
PID 2812 wrote to memory of 2920	2812	cmd.exe	36
PID 2812 wrote to memory of 2920	2812	cmd.exe	36
PID 2920 wrote to memory of 2604	2920	remcos.exe	37
PID 2920 wrote to memory of 2604	2920	remcos.exe	37
PID 2920 wrote to memory of 2604	2920	remcos.exe	37
PID 2920 wrote to memory of 2604	2920	remcos.exe	37
PID 2604 wrote to memory of 2636	2604	remcos.exe	38
PID 2604 wrote to memory of 2636	2604	remcos.exe	38
PID 2604 wrote to memory of 2636	2604	remcos.exe	38
PID 2604 wrote to memory of 2636	2604	remcos.exe	38
PID 2636 wrote to memory of 2656	2636	hab.exe	39
PID 2636 wrote to memory of 2656	2636	hab.exe	39
PID 2636 wrote to memory of 2656	2636	hab.exe	39
PID 2636 wrote to memory of 2656	2636	hab.exe	39
PID 2656 wrote to memory of 1972	2656	hab.exe	40
PID 2656 wrote to memory of 1972	2656	hab.exe	40
PID 2656 wrote to memory of 1972	2656	hab.exe	40
PID 2656 wrote to memory of 1972	2656	hab.exe	40
PID 1972 wrote to memory of 2324	1972	WScript.exe	41
PID 1972 wrote to memory of 2324	1972	WScript.exe	41
PID 1972 wrote to memory of 2324	1972	WScript.exe	41
PID 1972 wrote to memory of 2324	1972	WScript.exe	41
PID 2324 wrote to memory of 1244	2324	cmd.exe	43
PID 2324 wrote to memory of 1244	2324	cmd.exe	43
PID 2324 wrote to memory of 1244	2324	cmd.exe	43
PID 2324 wrote to memory of 1244	2324	cmd.exe	43
PID 1244 wrote to memory of 2404	1244	remcos.exe	45
PID 1244 wrote to memory of 2404	1244	remcos.exe	45
PID 1244 wrote to memory of 2404	1244	remcos.exe	45
PID 1244 wrote to memory of 2404	1244	remcos.exe	45
PID 2404 wrote to memory of 2388	2404	remcos.exe	46
PID 2404 wrote to memory of 2388	2404	remcos.exe	46
PID 2404 wrote to memory of 2388	2404	remcos.exe	46
PID 2404 wrote to memory of 2388	2404	remcos.exe	46
PID 2388 wrote to memory of 1324	2388	hab.exe	47
PID 2388 wrote to memory of 1324	2388	hab.exe	47
PID 2388 wrote to memory of 1324	2388	hab.exe	47
PID 2388 wrote to memory of 1324	2388	hab.exe	47
PID 1324 wrote to memory of 2568	1324	hab.exe	48
PID 1324 wrote to memory of 2568	1324	hab.exe	48
PID 1324 wrote to memory of 2568	1324	hab.exe	48
PID 1324 wrote to memory of 2568	1324	hab.exe	48

C:\Users\Admin\AppData\Local\Temp\ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
"C:\Users\Admin\AppData\Local\Temp\ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe
  "C:\Users\Admin\AppData\Local\Temp\ed71993a523627e72a640994484ba1313119c640d7cf74f0fbd381b5af2b7315.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Modifies WinLogon
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        18⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        23⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        24⤵
        Loads dropped DLL
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        29⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        30⤵
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        35⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        36⤵
        Loads dropped DLL
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        40⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        41⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        42⤵
        Loads dropped DLL
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        46⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        48⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        52⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        53⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        54⤵
        Loads dropped DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        58⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        59⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        60⤵
        Loads dropped DLL
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        63⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        64⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        65⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        66⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        67⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        68⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        69⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        70⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        71⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        72⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        73⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        74⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        75⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        76⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        77⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        78⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        79⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        80⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        81⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        82⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        83⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        84⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        85⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        86⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        87⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        88⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        89⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        91⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        92⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        93⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        94⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        95⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        96⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        97⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        98⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        100⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        101⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        103⤵
        Suspicious use of SetThreadContext
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        104⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        105⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        106⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        107⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        108⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        110⤵
        Drops file in Windows directory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        111⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        112⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        114⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        116⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        118⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        119⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        120⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        122⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        123⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        124⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        125⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        126⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        127⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        128⤵
        Drops file in Windows directory
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        129⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        130⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        131⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        132⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        133⤵
        Suspicious use of SetThreadContext
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        134⤵
        Drops file in Windows directory
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        135⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        136⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        137⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        138⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        139⤵
        Suspicious use of SetThreadContext
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        141⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        142⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        143⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        145⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        146⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        147⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        148⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        150⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        151⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        152⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        153⤵
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        154⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        155⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        156⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        157⤵
        Suspicious use of SetThreadContext
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        158⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        159⤵
        Suspicious use of SetThreadContext
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        160⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        161⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        162⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        163⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        164⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        165⤵
        Suspicious use of SetThreadContext
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        166⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        167⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        168⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        169⤵
        Suspicious use of SetThreadContext
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        170⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        171⤵
        Suspicious use of SetThreadContext
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        172⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        173⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        174⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        175⤵
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        176⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        177⤵
        Suspicious use of SetThreadContext
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        178⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        179⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        180⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        181⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        182⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        183⤵
        Suspicious use of SetThreadContext
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        184⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        185⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        187⤵
        Suspicious use of SetThreadContext
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        188⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        189⤵
        Suspicious use of SetThreadContext
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        190⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        192⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        193⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        194⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        195⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        196⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        197⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        198⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        199⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        200⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        201⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        202⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        203⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        204⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        206⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        207⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        208⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        209⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        210⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        211⤵
        Drops file in Windows directory
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        212⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        213⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        214⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        216⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        217⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        218⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        219⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        220⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        221⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        222⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        223⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        224⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        225⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        226⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        227⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        228⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        229⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        230⤵
        Drops file in Windows directory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        231⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        232⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        233⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        234⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        235⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        236⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        238⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        239⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        240⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        241⤵
        Drops file in Windows directory
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        242⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        243⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        244⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        245⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        246⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        247⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        248⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        249⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        250⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        251⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        252⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        253⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        254⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        256⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        257⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        259⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        261⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        262⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        264⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        265⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        267⤵
        Adds Run key to start application
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        268⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        270⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        271⤵
        Drops file in Windows directory
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        272⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        273⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        274⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        275⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        277⤵
        Drops file in Windows directory
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        278⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        279⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        280⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        281⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        282⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        283⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        284⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        285⤵
        Adds Run key to start application
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        286⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        287⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        288⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        289⤵
        Drops file in Windows directory
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        290⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        291⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        292⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        293⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        294⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        295⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        296⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        298⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        301⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        302⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        303⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        304⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        306⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        307⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        308⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        309⤵
        Adds Run key to start application
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        310⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        311⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        312⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        313⤵
        Drops file in Windows directory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        314⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        315⤵
        Adds Run key to start application
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        316⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        318⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        320⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        321⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        322⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        323⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        324⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        325⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        326⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        327⤵
        Adds Run key to start application
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        328⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        329⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        330⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        331⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        332⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        333⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        334⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        336⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        337⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        338⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        339⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        340⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        342⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        343⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        344⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        345⤵
        Adds Run key to start application
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        346⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        347⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        348⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        351⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        352⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        353⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        354⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        355⤵
        Drops file in Windows directory
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        356⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        357⤵
        Adds Run key to start application
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        358⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        359⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        360⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        362⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        363⤵
        Drops file in Windows directory
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        364⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        365⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        366⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        367⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        368⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        369⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        370⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        371⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        372⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        374⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        375⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
827d552b9b4b18cb372316a3820230eb

SHA1
5c5ff4786f3742a270df678726b5918d648e60b0

SHA256
2503d9451b9890b94d4c8f01d0275db59d3ad5187942101b7b5ca7d92c8ca977

SHA512
ee6813fdaada7f5f4749ba9a2e531e4db7cb9d4a488891eab3f76e7e06e7efc53efa92cc03ef75d209bca342fa98a63a9f12714cbd4f8291bbac2e5fb20e60a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2c6a69e2a906298ffe139da60967c27e

SHA1
6b0784029e91a1271d21ba2d7d283d4feb85e80c

SHA256
4710671ae8e5039bb54a696bf86b0d60cb1dcd0b24d5b3a0a2afced23003b884

SHA512
0053b10a97cb44f08efa7fb81bf2dcdcde6b23278da714d8679297df7c6bcc594e0702a167283d9b5e959e8e183c6dde5de528fcd19f05334909efb70f8966e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a2fbc9105c00da165c3ff127428ea4be

SHA1
887ed00dffb46b258f9d89e414a35a15b27d5bce

SHA256
d1e3205cbbb511e77b29ce258aa734979fd7cc2899606ef57c42c1107d9ba40a

SHA512
7ed7873292727f0568fd199f183fb2174fd17261e4a3a9a02ffd00eb29bb8d9e29944f3192b034d6cbf213d7710d5d8dfd0e08658949744eb7b895957530b265

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
bef782418e299a3b559e88c99e1dd4ed

SHA1
00f2536b9965e0f8ba180b4b890275df84eeaae2

SHA256
835f5ae1eb57843dc1539bad6f2ac524922ba2540d2738aacdea0c70c5bc2c4b

SHA512
63a31524a383408ffb917ee2f34e7d4e5e0266edbccb534a4c96aec21d03602f0b669c3364a28893a65db9dc01560aef35e9e35c227389bc7d204eeffb2b7cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
fd518ccd196a1b54a8ba8d165e7e5a30

SHA1
1ab371a317ad25e24c72519baf3eaefdf62fd379

SHA256
f0127c1b36ab663794b48a710a95481deea96f3b014e403eceae34b6768e1bbe

SHA512
2b67bbda6a5d2249a20af99233d012086d3d07d02449cbfeef4d30e2fa62e2921a63c384b7c84e39cb2b222fca66ff2f24acfd97cc870d6be5ad7a36d26be92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
aa185d87083146680bfd22bcc07f4dfc

SHA1
dbbe3d22a54997372e64235414046abc9ca3e795

SHA256
b6a180f0234a6f30c1bd90084b5cbafb80e3d2872ad84d98cd280816340964ec

SHA512
a926d931c076fcb59a2e13b28c9232568227ecb0b4160124d867d8aa631f21a954bbafea955e8699937f632284adf4fd13f01bebaf6320866983dc1638d9014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
36ac41c803df6c2bd6042119271b7eb5

SHA1
a3ad3055ee014501b0364d04ad354faf41b80cc5

SHA256
091206a5e79daf057ea5ab706674847978adefb8093022aa07dd7e8ee4643e61

SHA512
08c8723f0c1c02f6dcf89611722ab5ddadc8a3f9b4306f627289ad6bff2d90844a8dec0fe6d343fec2dd9cca11259028e2ead4c95c98275585aa0906c7fabd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8092e282892cfb45e1d7fc9aa9c42859

SHA1
1da20d0399bf6e566922f2a93ed3f6bd3595f92a

SHA256
9bc27fbdea4076fc0a7acf7201c6a6a0683785c79d083af9acb606bbfb791df0

SHA512
c2f271666c1199a5ed9bc03c570e90af85ff94f0f570bc2c9d9b838b962b3575e95f50e880ca84889bff467eb94bbd4d3777c454d06fecbd5453b9bfee45bc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
496a0f67a2fa612c644c2bc820a72198

SHA1
6efe4b6220f619866d91706d05ca3f9aa09e3c1a

SHA256
e84722d7111c2ce3c85c29eb488682d474f79f71cac50b1525e80e53bbabdd06

SHA512
b6b8c0f2ae155dbadf4e7e5f9dd11a53f9d4fb9a5d72a756aae61542ae9770796a5364ce339ed990acaba3e5a597be7189aca9f44485177a6524d74d88898a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
fe4f1108bf61c263202f86a3c60fa2bc

SHA1
6ab1f911e10589e4af619fba6581be37d745a3d1

SHA256
e21447304b0957b68dbdf23adf3117bbf607d1a1b3bc7dcba8b6c22ab56e031b

SHA512
b7a1457b2ce72aa63f2800473a11f76576626164b061fee31b2b24295afb6b9c0afef989fd30ee03eaefae40d0c0dd1613c2e8620e7a8e65a435db9e90e07c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5a6c394d7d50690c63d66bd470fdde3a

SHA1
0ae3340e9711b4e6022fd57b4a61997fd40d0a9f

SHA256
6374b5252e1b6b9c45bd6cc5358f63c55b93921f898c484961bfb7073d3d2796

SHA512
01d3eb767457f2a395fc3c48d068f2b00ebc5df3370f36c6beb1eeea8a605c68e171fd1103b3e8c3b7f00b22d04962c1d0f992f514816c74a92f4d6351596673

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
68e9f03e247044e726e4101111eeaea2

SHA1
2411a5120b60dedf3cb4efe9c6b4503c949c72dd

SHA256
535cfd97d62e8fdfa595ee030082e0e3d0fa3f21344bf1a5f1e7aefb4e6f6d35

SHA512
de424f3b64554e755b1489392f2531c48c831257ed1bbd502cd07b3ba1776ea96083847fea3428a1c04248db75cd763b1a2c39b3b564f67be8f6bc17d71992a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
344b52c042179681915b8979db282be4

SHA1
a2f8a6b6499cbd6cfd5f6e143fd38bdf2c9dd863

SHA256
c77263fb60f8b12ff3d0d314c0aca46eca4b9b78a3fe7c39f172ba5c34dc511e

SHA512
69159b56993e53cbaa22679230ebed20e7c8751d0237f8865876a9f4302071bcfb5f51b21061fe67bfd850aeb2aebfa6dc72a805ff9d35eb551cb0f8e33e17c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
29db8179063b46b132754dcb3b3b361e

SHA1
c2753cdf2fd13584b3f431e96844537120bf5015

SHA256
ec0a9442f9219fcc43f6ee21e961eccd95e7e1d3c3870e21de5dcf57b7bc8b9f

SHA512
2237264f6331ad0436b558a19d245cfc6b866140f77039f5b086d2b37b4043090ef21e6623e9fcaa392ecff5aaaaf2ec8b20d66df24df9a754bf7c823e2ef252

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a91f467fe2b8088df5bf88cb7808cb85

SHA1
f4681cfb907a7f043dd3d10a44bccc99d3b953e0

SHA256
12f5031ceaa2272e3d380cfd7afdde7723fedf9219b6250f00aaef99922fa9c8

SHA512
ef7d268887037a4d96c3f487d19b7df625c938a721b004af6b8ecc1dfa7095b14185c59ef52f3ab03b88ffaf4e0b6d6bf639d81185704774b3450f6c2661f2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9e7c8f37ad1876aa2490a01981681c78

SHA1
05a344956a8e5a01e8ddae5799ae273732928724

SHA256
d22e9f429c6f9b74c3a28b4ffa5cb6423034afc2046d5e078b1048fc24678ac1

SHA512
da4ab5eb83238162ff1882b49dce121ede328ad084a4308fca7ea3fb0d95d4c9ab96ddab4021477ca8d8f9d9712e9f7de6e12062650fe75f713631264caeedb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
21047fed575ee0c772d6ffa021a58ab4

SHA1
ed6d18291da74be6760df7674c38bc2389d2019d

SHA256
364bcfd5418ad749211326393f35996b232693edf4605d15216a9f530fa054e3

SHA512
6efa66602f54e540d0ec29418a1fc85f959f28e8391652093fb273256d1a1c48d285b15f6d06601287e94a6e76ccb1e85076e1f4adb740aba299f2ea4dccfcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2f28e90d1b3173c68f4e6b7008b0e845

SHA1
2d5638c55d81013ecddddfb851ef758deab5809a

SHA256
46bef8e52cabc5b2efc67aff3ac2235b1088092c2627509aa3bf175e8821b3dd

SHA512
8fa97bb51ded5da5536d4b851a21bfc5a5478919a66b074364ce5aeda50b76d9cf8a45a10c047671de06a43c0fb453a2e2f890489b075083cdaf26e3c43a3a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3fb99a618f3758f472b1de00bc28e005

SHA1
05cc208f758de1e65bebad73bcc846df70ee896b

SHA256
fe709f91c47775dd9fd6d619b8367be95aa697f8b6084ab6b62a37cd6a571d90

SHA512
27c8d08c4e0c3bef4e24eb80a9b861808c1c9b219802328fba772a65f8cb587705067a93d28294bc6369b3a2dc0a33b1b364c36284796c50c4b557c1ff5b0eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0d0a15de22035026eaadf3a3928ae239

SHA1
52dfbfd22808c6868a3d0215aae5c75b3c4aa670

SHA256
83cbbd8c22cdaadf27e9f83460971a6e9fa9535daf2450329d767b8cc0cfb78d

SHA512
0e15f1c40fea3696407bd158d1829e86943b0af2dc1f61ae28886a9f139b0a3d3dc46fa9ace154040f9d05cef0f57e619e8bda3d243013394bd7fc588872f53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f500aeb9e9a827dd48c39af67311555d

SHA1
22a4b0fc677a0c76df830d4733adfd6513bbeec9

SHA256
ce9e773226e7da9cb2324c470302fb620bdaa44938c65538d03b5ff214b03102

SHA512
3db3cb5d44dcf562fdd64d3c75ef7d65a145f228b56523e970b7dfc6e5cf7d0c17c5328797501f162112dc8f812342889c69b6b9a0b5304d4fe93d17090d821b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
335c782a7866d2fd519322247970f189

SHA1
6cea9838fe16c47029d110c1ccd071ccaa85217b

SHA256
caabaf2c0efb90161d721dd664486ca8a0553b0f6490e5983597ec4d71c31945

SHA512
76159d7a94a0b8c1652aa972ba75e2da80ba403606266daefa6a90cb456640ca5f371f4f7e58079a0c36401f052f5671d301bab16ec7557294f1471449c13234

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
44d598977dba961739b4d2d4d879acdb

SHA1
148cb9839dde92fcbc54ca96459c1f6a35c90499

SHA256
2411c7a84cec5ab0a49dc89fbd6f50fcae1716e7757edb77b3f03a6a28149ca4

SHA512
e2f8fef2c0c54f5baa1150577235b0b06bfafc2cd540d9ef3b29d23875eaa4ba254e6fff9022dbed244aa4918c195fc4a5904fec580f4d03acae074fbb1a8e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
735936b76ad94b4e0cbc73450cb25ff6

SHA1
48ff24123bc25ac95d72798dc1bdae8c52e38c3f

SHA256
b354df29714facb7ebf5c89962137314a6fe6f042a775dd0964a7e4f62944d7f

SHA512
0cbbb211de1fe78ae2a6e58ec0a42ea8ae5106850a871fd8437f8cd256646b20fdfbb9dcf082df4210b5c72f703288ce0a0766c435395ec8ee72f695fc82f08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9b903b468952b9c8a57ebb4967b6bd9f

SHA1
0712228125a64d711dc1a4d52b156011353d81f6

SHA256
5f190d8edf1b7064a51931f0b7809c4b79907a8f3c21a1a0e0da85f267b8a649

SHA512
dc01734e93b157e402354767641ff91df2deeafb3dfd4869bdb5e76e67bab0dc6de898a4e5b16ee3235c7963e9b50e907e8aa2dc6ef650bf3ef1201459160806

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e1dbccf264d1beb1e8fbd944cf6d2181

SHA1
2faf98882f2d65041f12efa60b0334ff24e341c5

SHA256
60825220a618071d57ef8bdc8e6cc86cd23520eb1d6c29c451e77c04bfbd1b18

SHA512
3f22a5de268f9b937b8eee25297178c2e0db48a0c3a237a1c367f8666c53b6825dc40e1c961f9f40757d318506e63fcb844b778e2bb3e5c1058aff2c3fcf77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6e1f8b7b0f591e6523f2a86c53a17c41

SHA1
7d9da8aa8fa2726dabcc0f561a29ad3035d9a266

SHA256
869f9f22fe83c921ef67f9da43404a0ddfe580084ab576e27afe954ea824df38

SHA512
ef83bd27fd0fc5a018eb390c4ed6c224a36adac13b7cf28441ecc95d12da1c499a235fafe029b89cdbd322b3f0eeef2d26d5287117ea62ebbfb528480f170f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6c2dbb8c24c38d0e484cde6f9a2c434a

SHA1
357883df7044cd95caf64829f3b8720ae90bd9d5

SHA256
86ea78e21116211db5cd899a15765b728b3f0c4d8a31722f65cca6aab87c764e

SHA512
a5db957283f2aa16427437da9adbf60cb2638fb428f9402ab7aa6648591e69df1876bcd64904aa0233c60322de89b5244e21878c8f35d9dfeec86511925a2535

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
12ee1a9cfa00a544c846deb0655ba53d

SHA1
218708a2ba3c0fc33a57c38fbe88a4f68ea1fedd

SHA256
5fb7d75a6d8588bcfcea5c8310263fe5bf2c80312cec51af316da3fee1aa8b0e

SHA512
04b41fa04e9c914f03e2e590d34a9d5e61b70d0fbe00e99c2174407f5d52db35daee270a283d65a82a8be117d772d98de6f7def7ce34c9a97d27d0d7af7553c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2488435ecbfad39dd2395ff959759410

SHA1
56d2cc2cfa5100d6746da2931f16a5428f72a5a2

SHA256
194fd314e978e520652eab1db440dd397c4958045dae181f0c4ada5ea1e1eabb

SHA512
dc402962defd108893470ad1615e2acb3a79cecafba6ef9027ec7d0e50c0733f59ae98d8ba47c43c4c78e41a9e0b9cf64da41958db2ea146f3b67d258a918e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
52122c8c97b7696fe4943ed83b674a77

SHA1
c53e316ba775afe8f12c0311d559df628d19a371

SHA256
f15dd82c41c071534bd365197ed1437c72a142d43ea8a56c984b6506d6f2834e

SHA512
d2a409817211c063f90fc4db1eab1178a324ca077c26260e8a1ba6f264ebfc91eceb59ed25a640ceaa2b1ee1662d2f41a0e53fb7a3001b6886137c5b2eacd7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
28a40775a392db557220c93761dbe7a1

SHA1
4226f317fd38e15413cdf748e030b06faab9194e

SHA256
2554e978fcb58dae52b26dc29d69fcd17b83d3a4b00b615c3126b87608f6553c

SHA512
cc516c7ea4a286823fcaac6721251673092dd5aea868e3ba585d63181e29b220a2cbb4db6f616ff89e0ff663cf47f7bebc5f9668e811b6b779cde5ddbf99205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ba32ea3382fcad30296dfe2d8615fea6

SHA1
92787840d727a613fca1fe9f6c9a76b949a281f8

SHA256
9ed48768823e0d055ae5861461114cab3ccb41e80420b288dca2cf748619f9a2

SHA512
8caba2d70df9176d5c769523a7bfe52d2042e4a28b1d78948050a97801092e65bb273d3d86e0d99f1cc45661e9b2a1d31e8cdc169556f4cbd5023450cbbee7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5b5cb348f8376b567269d711ffc1d8ee

SHA1
4b6a06ad1f7b66c26742ade5b13ad224a64c8f0d

SHA256
6079c1dfab3516119907ea569aa9b89e287040b019b3c347d05e53e7762bff94

SHA512
4ed0b8648b2c4f45bc9d5689ca8bc8f40defa99da19150467a3c81cdfe5175766dbd63b984bc9763b63539df183ad3b8e1538a37b4de8488f7d4dc4096206ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
47ee849b3cd63ae597de408582d9595a

SHA1
d386580f37cea9adf08239f68e4e67fe36b3d0a4

SHA256
20a00eee8a5a886963d6154e5e4ecfa3e694d97154d9256e2daeac2210cc4b04

SHA512
b019000c5b2a0a95766e47000411d01c4b7b52356f9dfd46b062c90499bc076d1a809e23895efa74581505e724a29c105e597dacc7922f191f76e58e5d6d4cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
686e2c5c5158aab8ebaf7c1113c35b8a

SHA1
ede64cc633d2268c8715a5d528304f64326d2e07

SHA256
f57d6ba7f8175569510081105fd3829a9f94cdd4d0319e150166535e3b362877

SHA512
ae25384989d6cf6cdd25549c9b350e6fd776c809029bba1235b839a5b2b8b37feb5bf9a2260b40ed004079d8a5344cebefaa12f0ab5121d13656d2555430298a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
1927a828d0597d59b31a1d3c5f9c9c61

SHA1
07537ca4126d019fae85ecf3e10876731856162d

SHA256
80a5b86fa4298d74f8c8a33d3fcefbf4e9bbf645809ec4b3eafdd0ab8d1dc161

SHA512
3bb52b8727022ad140232fca31bdb7d5c9e23d2c75199e90995bd3a8d4bc82a7ed8159211fed27d295a40fa7fd3348a318839892b2229a945858b09e2fb8fd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a09c53f68e096cfb35b810ec59a92e0e

SHA1
4ff022950842f1714fa2d7ca89bcb5c4f70d6c93

SHA256
065b25bdd95d91853bd83ee8c9b5ffe57334c32bf814b22e49862897cfc96356

SHA512
4eefefddd1e05843dd156a041a9bac2b27862a4fe5ddb743ae0cc01d47cfecd705882dafca4ad5d0a99421e871301a1d6bc46dd441b07800c4458a0046263d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
320957249de65034de17e0cff3ec5a9c

SHA1
28a0fae42fdc9c3636d8bdec95945923422940cf

SHA256
a1e4f33ffc7717c9357e8b2998e82551551c9f85d4b33a985dd5ace8d873ab89

SHA512
ce2086fb598e4e444d4172d8a826f800c3855ad692c08192918b24b436b527e14741dbb9b5d196832e7cf51a8ffcb5d5d79f425098e0cb6b03028e80bc761468

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9f994186d6381f1b7ac9499a0a860783

SHA1
4a6e178e00bd236fec7e3b5486da73a187a18fb9

SHA256
2dfafeab5312017e3261b619bd55e3070aaaad2b4653044eab33b6c67d725e1c

SHA512
3b9dbfdb9af6461c471afccfbd66f9e0492c7b6887c815113693253a2c00f9f823e35fab5fc3a35527e64d4132648a0094a6c3b7684fc09def25218f5e4166d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
331ebaee79e889e0f877ed4884e5e2d0

SHA1
f544b9a586b6cdeb3483646d9813831e637bb425

SHA256
e308be8804b3d599d729ea88dc5a967d091d4f93aeef0458b87ba672d8798242

SHA512
6ee3f65f7d42b83ab1504b04544c082c3ba4d535883029253f62f06a6fa065ff2f5d1c27aeb8d8591500fa1dd5e14228124411b133ae748058b492878d05e459

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ec53a9839062b34a06c794f3f665e813

SHA1
b16e742c2a8b0cae1017d8a29eaa48e7f7f85262

SHA256
9d413f0624d77ab01b153ed1726ef8909000c7e5db489c940233d03a18f5fcbf

SHA512
8e3c745792436746b9e3ce1a0305ab5b2ce6ead09463831905e2da1c928174c914296a5d7802283caa3f73a0d30594d843af7e7058fce854f01b4c0a19866cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8e95a90b087bf0212cfe41b1bbdbb0c8

SHA1
cb1da337175b624bd8fc110859f897c87e596f5f

SHA256
a073a73b6d7d66661e9526808ab40db9600493ccca2c273b67838d1e732d2338

SHA512
c4e3eef0e263d8f5c44d88dcb27eced402ca9c81f2eb901444879237096068408887ee812c755a828229e24af0411c0ba6aef6c7a45b80c7d12dd1754a2c11e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
899cff749ef09391bc83a753352fc82e

SHA1
501dc06c5fb43ef1e812edc2e2d0e1e6f2554e83

SHA256
2663360b3c3903b3a1c2b00bff6cb310025b8a1cec6edeacfd3977d39f8bd192

SHA512
ca2554051ac314e751372f7c95e93ca70ff24659f9491b22a9b72ec0fdc41a9f2311a8a7a4dcf05697351be283661f0eb8771c056808493c2778ea2621326bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
580a6b025a8bc8a2b3c4b8693402f567

SHA1
5befa3afbf0c2da8a3097412412c7347ebff54b6

SHA256
2f2c0fd3213ea1b2b409f216fcc8f50ffdc27f0bdb0f72a9b07ebb9789326e41

SHA512
16be9714ffa1b4a3282a05c96ded4f181b3573925de2333e0c378acfeb603bb34ba30a584d1a00ce00e58e9d47765fa0d0ce919fdb02cfd4ed1a3434a5548415

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
34ada7576690cc5fbc980b96ba7e1e83

SHA1
57550e5fec6779253ffc56cc2e1c85897777abef

SHA256
038745c82a289e65354a1b41e62482dabc6577d256e817958bfd877022433133

SHA512
484cb3829bd029b025baa38c1b351bcededc0940cde0024ce7619d07de4680f68167eda736ed5ed9d289efd1972e49763e337bd637051b7283a830012ad45b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ae104e106b383de7074f59a170465799

SHA1
5e43b31978122a3957ffe63b3c8f38a2e7e6f7af

SHA256
4f5a8ad741b28af7cb40766fd38cc1515a3bbbefedb192cb4e3568a79fdb228f

SHA512
0044561bcde87c55dd1383963866726c5e2e81242b80960c5eaae1f4f595dd50496531220660f62deb7e2553126457264620866f61cc4c02763df8a03ad4d715

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
440d78210ab59808c9b0cd82da1c68bb

SHA1
0035a24aeb2e5f69654a66a233a2fb81b7286781

SHA256
7e034c7e809eae9d71a77e010d8c412fc6d7f59923f6f1f41a936f5e8ce9656c

SHA512
1a60b19350e0b82b49c26508f6cdbc5a4fff85cf066266638d0c92719b62fe4b76c0677796904aecf698179310839feb6f0dae90430816231511c43bd96886dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a9ee1fa0ec9796905e3b3460e4653151

SHA1
6e30862fe4ededfa8e93f5e8bc79e4b08f864b5f

SHA256
d5756210626259abe187d3e024cd07904363abcf70631c62b7a006f9bdaffece

SHA512
386da8ef586736076001a50d4289173af9ba2935cff039160136ad22bd1e3f4a2ef88906885f138285caa6383df0e1089cf5e34677e7eb4ab099d4ee137fb666

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8e2cc64b05d7970c0fc945b760ff9a3d

SHA1
b2ceb20afdb69cee47f8b4a10579372f91e2b49a

SHA256
b3536c46ee55c7aefa9dac8fb677a9698467283bd56ae18c12854c66106cb3ba

SHA512
fb45417988f5717260a24c1e5a35e9546252f7cbf6cb0c615d7c273ea443faf0676afbfa1f358d124350da5d2eeddab6ef40ba9c71c1991c75550c8deecf16d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
c4cd7b64e3d184a24854a4bf7d1d7c80

SHA1
8d68e7ee6836de63ccfcd0345b3d7347bb9c17b4

SHA256
33156ed5adbd4189610dd27cf72ca32e7f5d44e9bd56ccdb41bf7b935bc1dc13

SHA512
a5e02b2e669cbda3df52f8b5a232df2a37744b6e7e0f6d03c917ec526455c333be8ff69ebc99427b666558303231a21c96576ef1ebf0ce9fb5598b3f282b231f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d29db764cc38561a85c55e6366368942

SHA1
c1247c7feb8ed9e69020878648536075d64cb716

SHA256
d879ff3da86121c261ecd5ee2a9e9ff75f37397b1406c8266d62600ed8312c67

SHA512
15115f5d28e8a1079fa08efcee8869a7436dcc7bcbe1477ce9e7c7ff820f08ecf4ec73c5b8cb405d461cfdd13b1f86f3a7f4b994b802a28de4021c56e5bbf959

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0ecb04f893d94278f1caeb5ddb005953

SHA1
e4bb089f23b83e1b0190f9be04dd6c179ada0e55

SHA256
8b33eb13e5482dd68c4a523258d68ef7fda26af946f8fcda8f88f82dcfa0859d

SHA512
2b1982288d09c5c52104c9f56247c00db9a6db28dfcde51bfb209fbd22a27b8379233be8acb362b09bb0acdab93e8f176ac69e71c58ce0f92b1e577cd9f95527

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a818dd80812a82c8a50c0850c8fe56c9

SHA1
cae8224fef2a9287eee2c969ba39678baab64902

SHA256
d267c05fdba0500aebccbe92e559858fcc7d5d53f8c78b156473a4a926aad480

SHA512
6f5c69d2b14052aeba72bd79fa17394e36d68e17f3917d30f4f1a8678ebbcbe51fe2179b3bd5c3049905d825fcee777ee41162f426a8135d431520ce89b37bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
40f2efc2d65f832b3067373b785ec5a9

SHA1
ae52d0f86245b7367065bfe824d2f32f319716ab

SHA256
70fd0bcf9a1e9ae6675de41df8190bc9f011caf8ef882e10d089f7b71e4b71ad

SHA512
5283ca2c110b405daf3d9d4438bfd142b49b287e83a56cb04b87d3e7580e2f8d7de5a3ee3191560f023b1add43650ef181688650eb8466279165cfecf0422a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e0c5556fd8f1ccab8c430306d7ba2cc1

SHA1
70af1f2807dde049a9b791e80542e2d1dcf7a567

SHA256
683d3011dd345ba8477756ccb3652d8d07020b807e371b9781cd45ae2fc2bbe3

SHA512
0443fa17a9bcf526579de637d10d5fc28d7395b5ee5d33b48f4bcbf285a9adba1022ca57f5f52f60386a6a79f61dfdbda3a3d9fec411faaa32ad75b71d1c1173

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7e8495181eb1d5e68bbac2af19215f2a

SHA1
5d00a14215f239e41c42bc7f4b15e1a643a3207c

SHA256
e5347920837c8eb905efa89cfc2761a65f0d7bffedee7aa520b3157c2f8b63fb

SHA512
41f9a28fc9f988ea6e13938b887c36065ff4ff99466b820938702226e4ed90d0fce715fa1020170adfc8a1d0853d8b1fc01a643047e84264c643fc2dbd74d561

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
eb4895f3969cd2a121b420d91cdf5699

SHA1
2a64726c22468323e7fbbbda28fc4d262570962f

SHA256
612e9387339f4e3e3fa6b6ebddbbbbb43e8bc8d9363c6b7a44e23443f5741273

SHA512
d9db5dd0a8d56efa2bb9b73e2e0b930a340326f6203fbf52f876fa7b063106917a57068d786d31f3054c34a64e3b1526daad8bf3935559bafe68aca4a5b1cd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
4e1f25aa5d249b49b95bdd897f3e18a6

SHA1
51c8789aeb5fa5617af3e0504b55dfc4d39fa0d7

SHA256
696398aa9afe6cd08f15d687b6ed3db8672b90448eae606332f68aa717cfae60

SHA512
b04c0c575109fc0d0d8b0ad8ffe16e4c58c52261881ce13a249b9dd84d9d7b934d405bd802d9d79825147b33d69ac7f5cd95457310d9f59ca19f8615d4c90087

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
faf806311041508bec8f18bb035a4e35

SHA1
f7f1ddebc4d369c50d2ad7ae8136f339b1820621

SHA256
5a272beb2f652e00780e8396452faa18bb92bddf3b618bee5c0674de1ae7f5de

SHA512
6aec4d7fbabaa4546b549df6cdc0159471814bc0d8ff60019387d90469429be02edf3aa0be72822b4b9805bcaa997d6c6f5916a17fbdff2a743c26bd8b96cfbc

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
4570d4ee3b0b41e169c74bad01ef22b6

SHA1
db17590d696c4bbb06a2a159aaf6eb1b985879df

SHA256
8479cbab222d20b416cfbea7f54a4a879d287589d32bac61be5eac1ba03ccd55

SHA512
26c4fc4969ed0e3279af57fff11209febe0804a211e26862a07d808c8884aee40f86b3c5013c6b5922ae2ead52b41c11651fe594415cc5d87a2728c3391de467

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7944e825a6373aff38ed93a80436fd4b

SHA1
639b1728576e79e0fd81e0adb70b27fdfacf1595

SHA256
7afa520edb3bc8bec08e30dfaa2a5d8ab44a3559a9d903e96d9e4bf66ead1582

SHA512
69b8eb80a76bd51660d39594e5018e8a56aacf2f1ced17c01e433caaf0bb50cc61f619d6f1ecec48430524702a64cf2bcc91e6385a5fe9168f2064bb1fe82e18

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ea6d544bbc07a53d695f401dd2f8a52d

SHA1
f0787a4290c422038b6b5df332bc2dff00ef0dc4

SHA256
a92bc5f5291e4cf9dbb5d364983f26477fb26b5657d1fbd1ed32cbac25de29d0

SHA512
c7e8da7bd5c80781b491e19250b90ae866988051edc25bfc385f957c465289ad742c9946df2d02a40d2f4ba3fd6200defb148e2342f787ed3e050d888773fc8b

Download Submit
memory/884-367-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/884-359-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/884-361-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/1304-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1304-165-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/1304-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1324-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1324-313-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1324-305-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1324-128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1324-122-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1592-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1592-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1592-36-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/1628-199-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1628-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1628-198-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1740-334-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/1740-340-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1740-333-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2040-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2040-286-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2128-388-0x00000000023E0000-0x00000000023E6000-memory.dmp

Filesize
24KB

Download
memory/2128-386-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2128-394-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-14-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2260-5-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2260-13-0x0000000077B10000-0x0000000077BE6000-memory.dmp

Filesize
856KB

Download
memory/2260-12-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2260-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2260-4-0x0000000077921000-0x0000000077A22000-memory.dmp

Filesize
1.0MB

Download
memory/2656-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2656-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2656-79-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2700-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2700-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2768-226-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2768-224-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2768-232-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-413-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-415-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads