remcos | c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2025, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
Size

372KB
MD5

03d608cc917542153e67be383b580a28
SHA1

f14e97712b6cf8b58e34106de4c40da86b78710a
SHA256

c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0
SHA512

fa99987e648ebb55802ab21b15c6e68b7c236a7c4d98ad05435255387e676aac6bc3fe9246b9615965f3412e260ab42af77f52beb5c76defebe6bfc4c76038e3
SSDEEP

6144:tVdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhim+:t3qQx+H2i+8LBNbdypazCXYI

Score

10^/10

remcos tino adware discovery persistence privilege_escalation rat stealer

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 58 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
32	2332	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	remcos.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
3588	hab.exe
4388	hab.exe
1184	remcos.exe
2384	remcos.exe
2084	hab.exe
432	hab.exe
368	remcos.exe
1824	remcos.exe
2960	hab.exe
1548	hab.exe
828	remcos.exe
1216	remcos.exe
4764	hab.exe
4032	hab.exe
1560	remcos.exe
796	remcos.exe
2164	hab.exe
1896	hab.exe
4580	remcos.exe
636	remcos.exe
3228	hab.exe
4752	hab.exe
4500	remcos.exe
4764	remcos.exe
448	hab.exe
2400	hab.exe
3216	remcos.exe
4196	remcos.exe
4416	hab.exe
4952	hab.exe
3604	remcos.exe
2668	remcos.exe
4560	hab.exe
1516	hab.exe
2892	remcos.exe
3496	remcos.exe
1792	hab.exe
4716	hab.exe
796	remcos.exe
1852	remcos.exe
3524	hab.exe
4376	hab.exe
2044	remcos.exe
3452	remcos.exe
4668	hab.exe
4388	hab.exe
2988	remcos.exe
3336	remcos.exe
4740	hab.exe
4204	hab.exe
4196	remcos.exe
5116	remcos.exe
5112	hab.exe
960	hab.exe
4732	remcos.exe
4440	remcos.exe
3644	hab.exe
664	hab.exe
1432	remcos.exe
2004	remcos.exe
1392	hab.exe
2384	hab.exe
4472	remcos.exe
4844	remcos.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Modifies WinLogon 2 TTPs 58 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\elevated_tracing_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneauth.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\elevation_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3872_13384072702746726_3872.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source1808_1706578356\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\vi.pak	setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
216	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings	hab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4348	setup.exe
4348	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1808	setup.exe
Token: SeIncBasePriorityPrivilege	1808	setup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
3588	hab.exe
3588	hab.exe
4388	hab.exe
4388	hab.exe
1184	remcos.exe
1184	remcos.exe
2384	remcos.exe
2384	remcos.exe
2084	hab.exe
2084	hab.exe
432	hab.exe
432	hab.exe
368	remcos.exe
368	remcos.exe
1824	remcos.exe
1824	remcos.exe
2960	hab.exe
2960	hab.exe
1548	hab.exe
1548	hab.exe
828	remcos.exe
828	remcos.exe
1216	remcos.exe
1216	remcos.exe
4764	hab.exe
4764	hab.exe
4032	hab.exe
4032	hab.exe
1560	remcos.exe
1560	remcos.exe
796	remcos.exe
796	remcos.exe
2164	hab.exe
2164	hab.exe
1896	hab.exe
1896	hab.exe
4580	remcos.exe
4580	remcos.exe
636	remcos.exe
636	remcos.exe
3228	hab.exe
3228	hab.exe
4752	hab.exe
4752	hab.exe
4500	remcos.exe
4500	remcos.exe
4764	remcos.exe
4764	remcos.exe
448	hab.exe
448	hab.exe
2400	hab.exe
2400	hab.exe
3216	remcos.exe
3216	remcos.exe
4196	remcos.exe
4196	remcos.exe
4416	hab.exe
4416	hab.exe
4952	hab.exe
4952	hab.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
3588	hab.exe
3588	hab.exe
4388	hab.exe
4388	hab.exe
1184	remcos.exe
1184	remcos.exe
2384	remcos.exe
2384	remcos.exe
2084	hab.exe
2084	hab.exe
432	hab.exe
432	hab.exe
368	remcos.exe
368	remcos.exe
1824	remcos.exe
1824	remcos.exe
2960	hab.exe
2960	hab.exe
1548	hab.exe
1548	hab.exe
828	remcos.exe
828	remcos.exe
1216	remcos.exe
1216	remcos.exe
4764	hab.exe
4764	hab.exe
4032	hab.exe
4032	hab.exe
1560	remcos.exe
1560	remcos.exe
796	remcos.exe
796	remcos.exe
2164	hab.exe
2164	hab.exe
1896	hab.exe
1896	hab.exe
4580	remcos.exe
4580	remcos.exe
636	remcos.exe
636	remcos.exe
3228	hab.exe
3228	hab.exe
4752	hab.exe
4752	hab.exe
4500	remcos.exe
4500	remcos.exe
4764	remcos.exe
4764	remcos.exe
448	hab.exe
448	hab.exe
2400	hab.exe
2400	hab.exe
3216	remcos.exe
3216	remcos.exe
4196	remcos.exe
4196	remcos.exe
4416	hab.exe
4416	hab.exe
4952	hab.exe
4952	hab.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
3588	hab.exe
4388	hab.exe
1184	remcos.exe
2384	remcos.exe
2084	hab.exe
432	hab.exe
368	remcos.exe
1824	remcos.exe
2960	hab.exe
1548	hab.exe
828	remcos.exe
1216	remcos.exe
4764	hab.exe
4032	hab.exe
1560	remcos.exe
796	remcos.exe
2164	hab.exe
1896	hab.exe
4580	remcos.exe
636	remcos.exe
3228	hab.exe
4752	hab.exe
4500	remcos.exe
4764	remcos.exe
448	hab.exe
2400	hab.exe
3216	remcos.exe
4196	remcos.exe
4416	hab.exe
4952	hab.exe
3604	remcos.exe
2668	remcos.exe
4560	hab.exe
1516	hab.exe
2892	remcos.exe
3496	remcos.exe
1792	hab.exe
4716	hab.exe
796	remcos.exe
1852	remcos.exe
3524	hab.exe
4376	hab.exe
2044	remcos.exe
3452	remcos.exe
4668	hab.exe
4388	hab.exe
2988	remcos.exe
3336	remcos.exe
4740	hab.exe
4204	hab.exe
4196	remcos.exe
5116	remcos.exe
5112	hab.exe
960	hab.exe
4732	remcos.exe
4440	remcos.exe
3644	hab.exe
664	hab.exe
1432	remcos.exe
2004	remcos.exe
1392	hab.exe
2384	hab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1516	836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	87
PID 836 wrote to memory of 1516	836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	87
PID 836 wrote to memory of 1516	836	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	87
PID 1516 wrote to memory of 3588	1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	88
PID 1516 wrote to memory of 3588	1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	88
PID 1516 wrote to memory of 3588	1516	c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe	88
PID 3588 wrote to memory of 4388	3588	hab.exe	91
PID 3588 wrote to memory of 4388	3588	hab.exe	91
PID 3588 wrote to memory of 4388	3588	hab.exe	91
PID 4388 wrote to memory of 540	4388	hab.exe	93
PID 4388 wrote to memory of 540	4388	hab.exe	93
PID 4388 wrote to memory of 540	4388	hab.exe	93
PID 540 wrote to memory of 3492	540	WScript.exe	94
PID 540 wrote to memory of 3492	540	WScript.exe	94
PID 540 wrote to memory of 3492	540	WScript.exe	94
PID 3492 wrote to memory of 1184	3492	cmd.exe	96
PID 3492 wrote to memory of 1184	3492	cmd.exe	96
PID 3492 wrote to memory of 1184	3492	cmd.exe	96
PID 1184 wrote to memory of 2384	1184	remcos.exe	97
PID 1184 wrote to memory of 2384	1184	remcos.exe	97
PID 1184 wrote to memory of 2384	1184	remcos.exe	97
PID 2384 wrote to memory of 2084	2384	remcos.exe	98
PID 2384 wrote to memory of 2084	2384	remcos.exe	98
PID 2384 wrote to memory of 2084	2384	remcos.exe	98
PID 2084 wrote to memory of 432	2084	hab.exe	99
PID 2084 wrote to memory of 432	2084	hab.exe	99
PID 2084 wrote to memory of 432	2084	hab.exe	99
PID 432 wrote to memory of 4684	432	hab.exe	102
PID 432 wrote to memory of 4684	432	hab.exe	102
PID 432 wrote to memory of 4684	432	hab.exe	102
PID 4684 wrote to memory of 3812	4684	WScript.exe	105
PID 4684 wrote to memory of 3812	4684	WScript.exe	105
PID 4684 wrote to memory of 3812	4684	WScript.exe	105
PID 3812 wrote to memory of 368	3812	cmd.exe	107
PID 3812 wrote to memory of 368	3812	cmd.exe	107
PID 3812 wrote to memory of 368	3812	cmd.exe	107
PID 368 wrote to memory of 1824	368	remcos.exe	108
PID 368 wrote to memory of 1824	368	remcos.exe	108
PID 368 wrote to memory of 1824	368	remcos.exe	108
PID 1824 wrote to memory of 2960	1824	remcos.exe	109
PID 1824 wrote to memory of 2960	1824	remcos.exe	109
PID 1824 wrote to memory of 2960	1824	remcos.exe	109
PID 2960 wrote to memory of 1548	2960	hab.exe	110
PID 2960 wrote to memory of 1548	2960	hab.exe	110
PID 2960 wrote to memory of 1548	2960	hab.exe	110
PID 1548 wrote to memory of 4844	1548	hab.exe	111
PID 1548 wrote to memory of 4844	1548	hab.exe	111
PID 1548 wrote to memory of 4844	1548	hab.exe	111
PID 4844 wrote to memory of 1932	4844	WScript.exe	112
PID 4844 wrote to memory of 1932	4844	WScript.exe	112
PID 4844 wrote to memory of 1932	4844	WScript.exe	112
PID 1932 wrote to memory of 828	1932	cmd.exe	114
PID 1932 wrote to memory of 828	1932	cmd.exe	114
PID 1932 wrote to memory of 828	1932	cmd.exe	114
PID 828 wrote to memory of 1216	828	remcos.exe	116
PID 828 wrote to memory of 1216	828	remcos.exe	116
PID 828 wrote to memory of 1216	828	remcos.exe	116
PID 1216 wrote to memory of 4764	1216	remcos.exe	117
PID 1216 wrote to memory of 4764	1216	remcos.exe	117
PID 1216 wrote to memory of 4764	1216	remcos.exe	117
PID 4764 wrote to memory of 4032	4764	hab.exe	118
PID 4764 wrote to memory of 4032	4764	hab.exe	118
PID 4764 wrote to memory of 4032	4764	hab.exe	118
PID 4032 wrote to memory of 1312	4032	hab.exe	119

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
"C:\Users\Admin\AppData\Local\Temp\c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe
  "C:\Users\Admin\AppData\Local\Temp\c7641a93554e98436e4eebf117022344e53f3bdb950bd1ba2f2acbecbb8866f0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        25⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        28⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        29⤵
        Checks computer location settings
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        30⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        34⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        36⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        37⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        38⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        40⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        42⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        46⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        47⤵
        Checks computer location settings
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        48⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        52⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        53⤵
        Checks computer location settings
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        54⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        58⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        59⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        60⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        64⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        65⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        67⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        68⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        69⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        70⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        71⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        72⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        73⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        74⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        75⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        76⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        78⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        79⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        80⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        81⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        82⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        83⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        84⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        85⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        86⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        87⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        88⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        89⤵
        Checks computer location settings
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        90⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        91⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        92⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        93⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        94⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        95⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        96⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        97⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        98⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        99⤵
        Adds Run key to start application
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        100⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        101⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        103⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        104⤵
        Checks computer location settings
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        105⤵
        Drops file in Windows directory
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        106⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        107⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        109⤵
        Drops file in Windows directory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        110⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        111⤵
        Drops file in Windows directory
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        112⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        114⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        115⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        116⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        117⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        118⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:4668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        119⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        120⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        121⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        122⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        123⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        124⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        Drops file in Windows directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        125⤵
        Checks computer location settings
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        126⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        127⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        128⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        129⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        130⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        132⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        133⤵
        Drops file in Windows directory
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        134⤵
        Drops file in Windows directory
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        135⤵
        Drops file in Windows directory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        136⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        137⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        138⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        139⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        140⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        141⤵
        Adds Run key to start application
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        142⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        143⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        144⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        146⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        147⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        148⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:5076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        149⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        150⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        151⤵
        Drops file in Windows directory
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        152⤵
        Checks computer location settings
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        153⤵
        Drops file in Windows directory
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        154⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        
        PID:4948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        155⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        156⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        157⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        158⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        159⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        160⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        161⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        162⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        164⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        166⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        
        PID:4900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        167⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        168⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        169⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        170⤵
        Drops file in Windows directory
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        171⤵
        Drops file in Windows directory
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        172⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        173⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        174⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        175⤵
        Drops file in Windows directory
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        176⤵
        Drops file in Windows directory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        177⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        178⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        180⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        181⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        182⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        183⤵
        Adds Run key to start application
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        184⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        185⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        186⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        187⤵
        Drops file in Windows directory
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        188⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        189⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        190⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        193⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        194⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        195⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        196⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        197⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        200⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        201⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        202⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        
        PID:3116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        204⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        205⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        206⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        207⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        208⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        209⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        210⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        212⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        213⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        214⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        215⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        216⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        217⤵
        Drops file in Windows directory
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        218⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        219⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        220⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        221⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        223⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        224⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        225⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        226⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        227⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        228⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        229⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        231⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        232⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        233⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        234⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        235⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        236⤵
        Drops file in Windows directory
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        237⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        238⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        239⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        240⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        241⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        242⤵
        Checks computer location settings
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        243⤵
        Drops file in Windows directory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        244⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        Drops file in Windows directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        245⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        246⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        248⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        249⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        250⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        251⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        252⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        254⤵
        Checks computer location settings
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        256⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:4952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        257⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        258⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        259⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        260⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        261⤵
        Adds Run key to start application
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        262⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        263⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        265⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        266⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        267⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        268⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        269⤵
        Checks computer location settings
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        270⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        271⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        272⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        273⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        274⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        275⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        276⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        278⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        279⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        280⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        281⤵
        Checks computer location settings
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        282⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        283⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        284⤵
        Drops file in Windows directory
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        285⤵
        Drops file in Windows directory
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        286⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        287⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        288⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        289⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        290⤵
        Checks computer location settings
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        291⤵
        Adds Run key to start application
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        292⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        293⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        294⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        295⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        296⤵
        Checks computer location settings
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        297⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        298⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        299⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        300⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        301⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        302⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        303⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        304⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        305⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        306⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        307⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        308⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        309⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        310⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies WinLogon
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        312⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        313⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        314⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        315⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        316⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        317⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        319⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        320⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        321⤵
        Drops file in Windows directory
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        322⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        324⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        325⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        326⤵
        Checks computer location settings
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        327⤵
        Adds Run key to start application
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        328⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        329⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        330⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        331⤵
        Drops file in Windows directory
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        332⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        333⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        334⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        335⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        336⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        337⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        338⤵
        Drops file in Windows directory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        339⤵
        Adds Run key to start application
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        340⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        341⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        342⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        343⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        344⤵
        Checks computer location settings
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        345⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        346⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        347⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        348⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        349⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        350⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        351⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        352⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        353⤵
        
        PID:5044

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEFDNUNBMUUtODFEMC00OTQ4LUJBMzEtQkI0OTIzOTZEOTVFfSIgdXNlcmlkPSJ7MUYxNEJGMTAtMzE1Ny00NzdCLTgyMDItN0UzRUNGNDkyNDdEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTRGMkM0OUQtNzg4OS00MDg2LUIyMDgtNDE2NDBCNjc3Q0NEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTcwMDE5OTY5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:216

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:1152
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1808
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff662786a68,0x7ff662786a74,0x7ff662786a80
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4480
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D679007-A1B2-48C7-B473-06937CAD90EF}\EDGEMITMP_13AA6.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff662786a68,0x7ff662786a74,0x7ff662786a80
      4⤵
      PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78a9f6a68,0x7ff78a9f6a74,0x7ff78a9f6a80
      4⤵
      Drops file in Program Files directory
      PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Drops file in Program Files directory
    PID:3872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78a9f6a68,0x7ff78a9f6a74,0x7ff78a9f6a80
      4⤵
      Drops file in Program Files directory
      PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Drops file in Program Files directory
    PID:2556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78a9f6a68,0x7ff78a9f6a74,0x7ff78a9f6a80
      4⤵
      PID:4584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
08e61bc4aac688ae918418662333fe30

SHA1
a29144f5d560925ba6dd18798087f2a52face2b0

SHA256
4062adff22622aec57ce681321034826c47211685ec1b04f54fe5de74e978604

SHA512
7174d47658d838ea3e0fe72911320df5e921afe0179995384faaf2106bfc6f6e41fbde6972f434f3444729e75aa347eef03679015956541cc5f463250d6aee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
591db1b061a4d3e1cc12baa4b2a8b8f9

SHA1
d930f9c31a5fb6e6ba1dbbe1043e30bd6969e258

SHA256
c741cf7a6f815783e06ade175c71240fa6be155de97c3933e8db71be60ca79fc

SHA512
52f4379067bd7ebfbad0d83e364b9494d79ea5ab44b56ccdc64229fc9ca47b81a5f55e673fbb175353d9a5da54b0fab1a4e806dcf7b84036a15575693e7dc5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3b51e344902bffd75db41221346ab9aa

SHA1
a0ee5f047032b47985b104957457c4acd4da4a74

SHA256
81dcc1be55004c2762ee3b4b6c5bfcd9db766f97799c12d7029f75b11154cf00

SHA512
89fe56a41e80bdf22b832cdc2058e4fb36f0d8b2deb9d3fe0ef5603d7d6ce1e5c4a2138342be3745d8061c56c96a3087eb7113dd96a83270dfec0c25ec51319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8ab9f1aef1af62797a258bcc9f424f18

SHA1
540153a8f87eb27086010bb40bcd977f68fe7142

SHA256
95a0da7ee9f9bc3b7da673a40b0007a4e678d260a400e6d84025eb964a5455dd

SHA512
1e43c7676e8de848a0a52603a921ef88d931836c376455d63137638deb67c1498bb3d44e13dcb07e4a21b6235a807d0d81bb24643f757db6d4f114027e53d4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a69093b75eb9e4e965968017d43ebb1a

SHA1
f20776831a7055f575b21112e075c86e6d5017be

SHA256
55f1cc369df2d8aff5dc18676429592a272540a0a6d7bfdd8518ed5a5b4374b7

SHA512
83c643c0c46753c02a3d9952da2a73d83da41bb0614b63f20a75120d12acdb2d46744770fc62bedb20b0b00d8d0a0b73de34354c99b519932ca05570e5973777

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
297d6b9c20a450f78fec908ed7dddbe3

SHA1
fb5dd9d3944576405395e9c94b2140a20188e0a8

SHA256
9a6c7996f93abbd5796854d3d0593ad5aae2a94e9fbb3521e2b3e08ac9006c47

SHA512
48a96ac7ce3bed90f8d6722c93c59828bce679fb770f0fa30ff8232fc640bd7b7bcaf3a7a928824b15a50e85938e4b39001e1e99e6f4ba2822b7142dd5497121

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
b99b85d035e6fd7358985e9aff6d8a1d

SHA1
67dfb3584e2f8ab16b009d7827e4c4543e686deb

SHA256
06fe7a084730d4a1556dc1759589b2889c6b3a161862bf02f49b9aa1b02393ff

SHA512
04b97e253c74e02d8d311f8b8d4e5c9cac29fe9de56157a29f304a2c927475cb5d8d8ba65b086c6fcf95b63a9c871aa7f7a1af7587b86a868804ca5ac7ad1f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
b5a72ef072582be4d490051623bb71f8

SHA1
3d01c790730382eb66f8bd2702a3a1b248b6c13b

SHA256
1b6d77ee1a886508bfa48dc69c174a752f9082bb480adee045c217a46e9643a8

SHA512
a5d3c5321951360e99a53d31776a0a9320f13608208794405fa81569bc7f91eb909e898922212cb73ac957656362988d70e61a38efd3f0eaba9320cc5ce48da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
39907a53022898b2f28b259a2ac63566

SHA1
bc77061b28a669f17d515b1cf32089499e305914

SHA256
4b9fbe0fbe65ad3f1f314d0e127602d72d74ace701cf6102e4a53397d6eb0179

SHA512
c9560f9fe1fea7658d7d938582c9049451c4f5f28d54fe66e98999efdea7ff8487168db1b175c26c3b87f8732f5faa3447504df40b0eb074b604b31efabb2614

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
29de6557dd17c9c490a7b6741f06b5e4

SHA1
4dfb11d90af5ee0564c48d8d9be4a8d6100d031f

SHA256
8869e93dd1eef0c3c07ab80ac55d547ffb06cefa79b389f31fadf77fe4f385c6

SHA512
a70df20b6175d77d946f2596262518b77535e60e881425c0126e191591c425a61695b2be8bc597aaba6caf4ff4a68a2c86151c12b1fe63ba4933d8305faa7343

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e988e67666068b17c8bdd675b51a2dd8

SHA1
b8f3bd298462838a0ee1fd3d6e60d8afcfd5f30e

SHA256
ca2545aa684583212f8487ed2c2bf7b1c222ef6f5587ec8f4e18e377d928ce2d

SHA512
e7a644a7a3152a060b91a76b3dcef8c5334f047aff691a3350e9c447fdb87d359d6a8351c59b04cf5d3a4f92c650028e07800ea069c3d56dd52d08b637561791

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
710c5faaa46dce723704af1e838df0ce

SHA1
8987b8c9b7f122b42a0e96ed5af72d4c32d15320

SHA256
9d8ff1e782b3755cad275e798f8bb261de251e7dd9ee1702cbc9e35fd3090d99

SHA512
824db7e186ace5c4489cfba0c8d57bcce13ebd1983a0959f48e498e437301e51c329106ea0377d1e4c7ca4b45896f85c6dccef196062b47d0e7ed64d7447c35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
947b67b24363a94f7a75575762cb04f8

SHA1
ce96063f72442992cfbb90bc1fe2c2d20d363721

SHA256
29f44718dfffa1fa24c3da779557f63efc1922e389de96a68204af5cdf2719e7

SHA512
8c2d4b7f98b66f14dbdd9ce394e8ca960ac46d80e59b11df5e17c5d6ca5b210abf0027aeedf01dae2703335b346e26bc4b85535781c68f69f43b8ff1a21a11b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e90067ce22d9a9d06a687319ff10f680

SHA1
ca4dc732fc7f5a02c315f6e60c535d934eef0fd8

SHA256
9189ebf249db5ae4a825ee974b6043402e8bcde36ca47c37dc366550f8594bf1

SHA512
8a6e10766e67bc7ba9c50d96a7ad6ee003c26f7abdf915a99192ceb10b0768630baf226ab1bbac8b48bcc49a78c5b34332f1d65e914f3c13fc13e73e9d76afec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e21bfc0ed63b607e87eb0a80171d868d

SHA1
9cf3c3d402ad16e576b88eb688e9b4b8d282e633

SHA256
19d2159afcb653296dcb7f822a83de786bb6a4f42cf385991ce58cc8488bb7b5

SHA512
52d09a3304ac53ffd0a7246a54a2039918236935778b0ee4f7da968f9a58025be8981cae929e2396c3f720ba1c2b3e2cfa86d7fa4bc4663ddc90805cb42d1c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2ccd90b33952c6368fdd222d85eda12e

SHA1
a92fbd42bca3a1740fcdfcc4f59ece2044e15e62

SHA256
c9dc37ff360a0d0d7f2e9610bf3eaced580a64587ab70ff7cb2730e6bea899ba

SHA512
0bc9194692beebac4924463ec34d56c4f4b15a0db112449cd04dc03d927e51dd53e880b11291a01800c024a5a8aaa54dbb6fbf73ebac7762bd8904c875b2ef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
1fad1910d4caf0293797a792a4f83958

SHA1
d90d3ec784a58ffe3b03485c0768b02cec7df6f5

SHA256
13b645dc5719fef41742efd6d6345988588b55f10e5dac4a758b8c94ca87fa72

SHA512
dfcdfffa95e30827ad087830a1045474f0ddeb0ef472f89b39fd81febf5d6b84a1ee5fef46e61c63a7b445fd0e51d0ed919aa761d6bd7c23cafe0bdeec989cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
99e63a42e1ae171b7f5c37232263116b

SHA1
493b54665bfe08c207755838dd332753c32c553c

SHA256
f886d1efd9cdb968c9a687c0ab3ce794e876bb4d908e388383b84a5e0dba2970

SHA512
9eb37993e635eaebbf4606fdadd29d92f5ae739a115b275ba26e7036e0c3ca4c911818bcff10d196b731dea250e428be0a88f1da3588f662ca5dc640a4324eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3772e52d2e9079296ed99bc54620e3c6

SHA1
bf3aa4f29e8db4931fa580afafe7d5cef14bb639

SHA256
15b0633bc249716bd78193f406a71bf9f0cb88d27a28b0370c67e6ac7efa1c42

SHA512
7245d64d9e7a5329548562a7cd811aa62cdf757c9c09e1aa2cc916ae966f16ce7c962e6e54711ca18e9a1c3cec45fa3eb7eaf325f5b9857a561fb6abad103685

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9caf7d8502163a141487a3a99390178e

SHA1
745bbcb9f9245386ca3f55c8edbfa874686459f3

SHA256
50eb375c498b8f8cab73cf5da6979e9d8ab24ce658d849f91ee247c8e35383cd

SHA512
dbef1b038529a781e3e152ac4bf431e2914891cd73c416fab957d5369283f3e8efea555f2f52ea507d597dda2fa22dd3f5834524860df4a92885b7882c29e337

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f3585a74ff35484564c0bb3c06231f92

SHA1
430ddd0d3609cc3c4b8145d166c87760f0cc7247

SHA256
4783ce837ffa55c0c91da1b0acbec1eef786ea7806bce847f2fb317f8747d72b

SHA512
2685e1fcea5a814d919ed2763e22a03124987d7869e0aadb3cd73ec07105a9cd01c76ca5465940f73635273a6acd6de8b3f02af3ebc4e5a710b5496316bacfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6e5123a7c6a4f3d0ab17197fa8d22a09

SHA1
20931454677d9772e31c33bd4ac51a2d0138c7fa

SHA256
660e12e07cbe7df3a82fdd10ff4664f530c717df2018c410a7d2d1f7003e45b5

SHA512
02deedfda5448a06146ea7c091e2f0d66192b2b73b06510bfa757814e83000f53be563fe0e4139f7b6ca29b0fb6c0b2279bc4144eda906c3502ad344a8637617

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6de8a7de8befa9d49682af39daf8089e

SHA1
fe9212869ea5e835478f89efd16b4f9ad3fc5d3a

SHA256
900e6f5029968faca532c3b8aa5e8cefe3c53feb6d6356b668c62358beab8f69

SHA512
c179a212b35e5f52583a1404d5ed3c1330e0c181a11c6811aad08e59a2f7384f64e43d0873e8455c50a9198231c006fdfb081e5e11289262e016153d8de33be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
bee349cb4c0b46cad58dc49b0aa8bba1

SHA1
69d8ea0e8466c536407fe0edab659ce5e9742f86

SHA256
4df107fd95ec9d6922eaf2ab86ef3f7889585851d2053bb5dd9a5a8c6b9bdd89

SHA512
449605a86cae5d1b9ddd2c53b8d971976b9c5e6bdcdd125a350d0f9b998d2d2066694067475197ccab2501cfcf1a7a4de49d60b43c23504a051ebe2e3e41cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
bc18b3136eeedfeb7890fda8beb2e9bb

SHA1
ddbe4710faa03a443516ad2e0c79c822ba9e1c00

SHA256
97f0c003e5301af1d669ecd7d9ec4f1b3e04630de31b955bb6658cbad7de208d

SHA512
9711f5e4c496080eed845e41c6c334496e1effcd33a8c46f124cf50123937de59e737d68069f7daa358b1b5182b2bb4f593bc58de907c49828f96f05d49bb258

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
eb85de1f2b870c8354e63e2f7e12a214

SHA1
fa2b3cf174bc59ae13f04cc847341faed2c69aa8

SHA256
273e48b39e93cb7ab9051740766c91a96c14565a20329a6de17d3e27c3305743

SHA512
282bebd4002e5de98db05066a89e3053fb99985306f68c10726d6352d1fba84ceb5d2c01c059882c1d594537f6dc872710a43c9672787376b6e6ec347881664a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0dde6aa1cec53d03e0139a52d1a83bfd

SHA1
36497c52fe922ffd0674e3dca0f0a9a098bfebad

SHA256
15a0dd2f8b91af6b6196392c5bb4b640cfaddd37be237a3256555bdbc1d39fec

SHA512
5ba687e145a5e851821f92a4ab869534695d8d0a83b6d8c9ee8793a2169785ffd91a53811cb167121a589aad6270e57f9a94d8a068d5dcf74254e1304269bc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
344bfdc31783f522c42f661bcf232f4c

SHA1
2f16d4a44a4d4296a63ed06e0909367d059eb38a

SHA256
48a0281eefa83fab187c9852a8a475a32c5c3a80f7375f306a43a01b09356822

SHA512
88863f0222510c1b0d758dde61d0e54e38c028c6912343f81d6f82facb53f4e1fa1f4ecf6292cedb9f110971bf8949a2a114f41129e54e955a1d4f7f56afc773

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6932af0f8393ca368be07380f6090fb1

SHA1
649edf55a1aa708439ca501de2a4b79e1d0919be

SHA256
bab88c11bc24dac9b4e2d94caa357f1adc0d7ef908b77603fe4ee79a499cb4f6

SHA512
3ef05491164e5ab1a3479a37958999173e524bff7a7e68dbe256505995854692bbfcd8c6b1b841557dd4d292f3c75835fee10d326950dd6afa866f45bea57d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e6de9f6a6979667e15d6f93338e89d94

SHA1
f5ff4154e5479968e1f088d01af09a243e309971

SHA256
39da660217cc7809205c8cb1a776bf38b2a33d54deb0707f0bea5943bad2c762

SHA512
8f1a66bac7c911169015527d16dfac0d427ce599a6a633175545436a399eae73a773e32c932a4aea8d19ce9de8608ae7a772e84cacfa25d9c17e109e447773a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7adf61e82dcb889b959dd57ca9ae72b6

SHA1
e2278bd11ad85fb18ace8b2a1c038d5683b44bee

SHA256
2e7677d8f1fdcd826f65078277ac3efdde3c4c3708fdf4cab910e970cd07de4a

SHA512
94eac7ffa66f0025528f5803f8a9f099d1cb1669bf62445afb33b62a9efef55f4f59c47596b282616449b4fde5aba6b5d4fb094265d38b33d8a6b25bfb8b6df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6948682eaff5e5112cd604899fee188a

SHA1
c080fb3dd7fbb65fab5365d9fa3522710a9b4f70

SHA256
80bea26025b936cf702ec4a420be173e7a677b0021c776acc98db1a0fcdf2db6

SHA512
392b7a6963aaf8f01e97d0f60795d04240ca0015816661ae7e4736424649dd7e75d1dabf58197f19acfe499aff01263b7db501604214c6fdcec18804f271bd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
68954974e527b0416e6ccf21376b8b0a

SHA1
334b4183b3d61c75a441d39f3eb0efb00ceb786e

SHA256
62f6ded037021d5b519a07e5df55965cf76572b657e18ba576735a9ac6b97e5d

SHA512
a4ed0f72eb9e10fcd4302611a3be1dda5edc768df2deef697e15a431b2e5c9bd8999b96f5b353b7595e53d1ca743f996648ab1d2b1ad1d2dc0d725688aa14869

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
034379b40dbd1599f51270945b8ff94c

SHA1
df4952b841bc4df4ace0407a5036e05d1a11d1bc

SHA256
6b1475ea2d9d994f33c08fae4febadbcf233213b114ff5e490c9fd61649ba941

SHA512
05e9d822163911ceca6ef8a587700475e1b0ca1531d687baf3723e9c75cc0bebfbc65a6cdd35a9bb4a3f17a4431276db611884ce1ca80c6c403d96b491c3d27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f2ee76497ee3f2caade69d8b2bbd4f57

SHA1
499a9b0c3063542036358ff19fd163fb6d4e7800

SHA256
ef98482168515a7b26d33387e244ada2254f81c4900dbb95f5adbb83bda57090

SHA512
3faa47d65a90894df8be41193ab5930fcb9df3805189e500021f462593f477548641b293caa5a7d1c13e4623076ef0a5ff4399e98d90fe825f42adfb18240dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
fb640ca83033f2aea34d4a431e081981

SHA1
1e051c8c33c8c5421de9edf437f838c1151a51d8

SHA256
419110dba4e49bd823e2d4d3a2a9088039308f7bbed983c1fb842f125be484e5

SHA512
f9ee0b8ea9f9748caa9fd66bca1d736521380ef9eda32bd1b91ed8f2eb595f2f3f549e40c4501abf41691871b736f1cdc7a0b6a231b47337bc2c24dadf4e3ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
759b9427660902a599b616dccdb80be8

SHA1
3cc176eb3fa6a347c5e05aaff70f95132ac9ca54

SHA256
0a1ae3d3a85928c949fd7bac9d40ebc143aff840d1eeb33864a782175f4f2fd9

SHA512
e025311f029d451e55f696a4fa77317cff0be1a73fca4330b28e3d7e8132ee1938fe79486deb4f7030d1ae97bea05b23d887d9b2025d47484909efc6a082bad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e20c20bcb56d3dde920ca20b1d6ddba7

SHA1
120e70130899fcf6a396e6bb5d440313e8c9eaf7

SHA256
398fd410d220b24d9e1647d66374331ba9361626016424fb7e20695f4f798d07

SHA512
dcad80a157be012340ecfe81ff51ff3b09cbed5605f33aa962df66b4e22b5878f0af7bb1af1128f9ffe0b0efe7003cb2232c092f325f433bcdbaeef9730e0e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
59506fe114d77182b091018dd6324472

SHA1
543ee07055630fea952c4df351a99eab0cde60fa

SHA256
37d4fe6626673a8a4e3d33d7362fbb5e514909ccb2bb0814f09dcec795034074

SHA512
36c6807747b1ed9cba094ac537574dc96f2c11b2cb87fc35434642e133e42f3ef9a49e7f0187834faa4e446fdbf9cf914f3b6fafa2b62f35319586c4958affe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f0f8b045c1a89c82403092a75202b94d

SHA1
1f105b88623e74947db68831a243aebf12fcd32c

SHA256
3d78dcbd5563f32ce2241faee96c89be5e4d7f1e46ad0577879ac98de05f71e9

SHA512
8ba8076274f3864f12fbd9b608f676b87dc6df5ba2cfee6237dd4e664d7fc55baf20b014651b10722f0b56dcb47abbe74b784ad71b6357f0f9a60049eeec55c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
bbbdfafc894d0e4374da731d936eee85

SHA1
0f54f8d251d0dfdcac8db88d1f47adfe8784f4aa

SHA256
66198482e6c4f1766822f00ced0057653be914a5ae115ea375906a5534b6bf6c

SHA512
88c973172c85488dbe6053c054f35f72bbf1221311d618714bd865fbc211cc0c10316645c21ab712ed991df215bdf69421ed7b4a9b3b5c73bfeebad2b0c772d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7e462059b9ef95a0c2f5302c989f2604

SHA1
1d516f74840e4826e4c91a2818e11789505ba141

SHA256
3de540213b810df4948b58a1808d2791afe448f60850c0cfb3515657f84f62f1

SHA512
cac070914b19e534cfcb9cd9ab17dffa9aba55555695a5048a205170f6843038a96c8853690242c50f8f6c206088105fc67c5db9ec60f6241f1372a94bf92966

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
49b9ea3a9fbc206413878bb9426cf1d0

SHA1
a2a9c644778db2698483e8d167e351f171588bfc

SHA256
63aaf0ded6373577b36ef8092335f885a844c0367c4c50eaba62b21d51f8a7db

SHA512
21c1fd23aa2bfcb5cbcb037582b0c9c5bc566859c067470a32c768959eed6baeff9fb8b6288330bee513a2978cabdd45d86f5b4757e507768413fd7fbfa5035e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3a60a061ccb560f7c32bf9f9c545d27c

SHA1
8b36e9cd72dd8b0127de8dd1d42627305b99ab68

SHA256
913fa0915039c05edd9206036d06421cc236f5e767225928c4d3100c9dded169

SHA512
6b8cccbbbb2a44e65b9623c202e913506c3b0f27682e60bbeb31a25f337b3db116e4b10fdf766c25d6257d54f77c1d87badac40867abd7f9fc0c2c21333f1a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
dc5904090487833fe5659e73c977c9d7

SHA1
07e26df3e460b2436cf9212eff8390f895c8bd7a

SHA256
eb7b4d88c990245180c367d1cde93fb11658023a4ad9cb0ff392779e713effc6

SHA512
129d7bfc5b57353be86a6012c86059f34a988291f105947378fd9be378bd878270ae12e1ea66c323039e6b2be3e2d53d33abd34cf81d15fc934758f5d4ed013a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
289d32df695190a12cca4faf4a815827

SHA1
dd0cd5736911704f94cdbd176bfa7f83b5276232

SHA256
43899d082a17bdbae862c15eb9baf93435510b12a7742117db193ba73f29e4de

SHA512
2cc4dc7a12a2f6fdb9ac863ce1b37f747cee266f72f946443b5790e5d48b2ca95437fa4e33282c32a7041a6ddb5356a18ae9ff6f27d145cb2619bd686d7de639

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d3c180933e2ccce67a6eed9cc601c974

SHA1
dfd59cf7f7e8c1aabe8b45c05ff6535ce52b3514

SHA256
7ccea7370990daf109f1c80e0b63da0bec2f9b257e5552c66b0d53a7918b00ef

SHA512
6201ad7f60a053b3c07396c51b353c0b2faaae9af5934019abdc15d5f9fcc6d4f5143bd44593653a30e0830f8702c9cacfc076acadd065ee457d75a880793265

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
08fb98896a951270b4e70476b1baa90c

SHA1
d1a6c1528ec109d0c302a9c01869d2d1533fb1e9

SHA256
ea51639ee4e5b6f29b24f2fb6420ace822bae6fbd67901f4c86269d48bcd062f

SHA512
d41f9cc5bce9184320ffe584d4abef342737257424286988bb42d1d762bce290f41d93d553dfc7b2100268fcca1da24c5f2add8b34268cb8bdd25f0928f014da

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
287562550cbcdb49f1f4fb2480e05b14

SHA1
89e4cc908afa3878a274254fc6e9d00a853d5404

SHA256
a62e8e54101e068c41e2286c45e386d1caaab7d63ac137e514055ac7cfac91a2

SHA512
e9f5d8ffcb0120316b5411a869dfcf8f8db5c9b99b897349aa0858e782c02565fee0775a6bf19bff79918002c04097d762bed3895d0f8a55acb6a3945861d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f499bf41e777b79afd1609a783648d9f

SHA1
7808e02b3efedb27f8e02972c081110e6a397b12

SHA256
70b915478587a96e6f8ba928bbf43f03e0ed326027c1431dfd82a0ce7fb2d678

SHA512
49f1803e77d4e5cb3bf2a5c6b6d7c51b10796776f7c4914cc36a283d536ef6dc6f45a48a536dc7c0a7b6dd0a5b3560b4762474cf360c539d9f712533fcf93531

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
4279e0419ff58cc4c0e58dc1a9049a0e

SHA1
4e71051abd7292ff58ac282d697982aa81963198

SHA256
8bc73bbe3f963f48b6f353744fa6b376c530ef4545778daa4919851b5b00562f

SHA512
773619868442fda068d4b1053aa50e6856d148b2d5b99601109da41b11409bacc443ebebbd5dfab6266dedeb8d08476985575d310248760619794f0a66345a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
cbf9cbdf5d95056f11b78386dfff3fb9

SHA1
a63c79bbe185c7dacff1a826f320c75b2321c407

SHA256
b6deb5559df87620b2ab0ece71b3e092b48d10bd3635eb751ccbb1a12cd5b4e1

SHA512
38a4e31266c6febce5e21338e88032967127ec75c78f5114d902de7f81e45809c6343c7eba3d4f88a48781b67967259ba762e7fed17a76bca7e5722c2d4063ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ad6017ad5a66798d192c3845a03e9e01

SHA1
27c0646bde834e59b4fed5a5e9db73cce0792389

SHA256
c34b4c85587ce5fea1634c95f8b56d990802a11a61d2e1e292f11fd1064e969c

SHA512
3f9355cd8a9533b32192e24de2517f0e969b99920baccb86e39221ffc7dee1f65e674be38b746d9ac284a15e1413a015b150f032d4a7cf583e3efbde9fe55c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8f4644a99ad0e070ac071ffe34e74412

SHA1
56cf91063d7e5d8b72069d77bfa98d1dfd0cf009

SHA256
144ad4833574ff6150c6c1ab1aad3f9e8bb03d562fa8cb3da6e871725bd0a81c

SHA512
b0d399b52383ea722a71df0101f64d76f2d254855d22037283e648aa64460e710c06e746c52d2a31aacc75a20e7e4c2255ee3c385533c0c815caee34b50be9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
80292a7153a97bd0530bfea23aaa0520

SHA1
5a21ef3b097c415d78d56d41a23a10e33464ffc7

SHA256
646295763ee150f21e49019ba59847764f7f5463df848251fe9c9600fd72bd7a

SHA512
bfdc184dfa47de81738cd575ac2cb3420ebbaf765a3d6167a721d03309a5046a0d304346aa0bf4989dbc2c5f96fc3a1d71528f49b928d3f220754dc6cc269cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8fc2fb54d4b879b319c7cf33e95215af

SHA1
06aef68a4d3b1d8d6e4ee1067b1d24eef6dc23ae

SHA256
ab0d1421ede2b1e8d4c512b86e8a2e1d819942c8140345b73334c3aa74fbbb7d

SHA512
d70f28f45ec7be947ea90676834cb6dec9979b0f12748a361be146b34254025e3c16404ec87b52bb08d161380966feae971f22103994b3da58bcb52418354fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ef2e119573e088d0e077ff05e244bb67

SHA1
1917b8a39fb74ae19d99fa7769c9f99e958660e1

SHA256
edca197271f3c8d391d4705cd9425c5d39bacedc1c27b89b5d775be8b9262f94

SHA512
022555c3c3ef61b119f951d38fdf86659047bdb3e682223a09d126ffd104749bb2ab40e4b205654a9a7457bdf06e86d3d16ca68a47dacfadd452269cc80ef1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ff607a8e9f8eb56e42f5524e4be9bd7f

SHA1
31f0318066c95514f0c59389fcbaf853c7d5f9e8

SHA256
4542a12f2832c678ae4afe78fc9dd07231f74d8c8e05671344fc44c36a16bdb0

SHA512
e3f0d17eccae782bda27f7b250dbffb260d17c99ddfe991b0f9622b8b2ce60dceb41834e5277e6f4177833b0066888120176301f9209e279f925af0052fb75bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3fde74828c4b2a015cdd71a0c4c3af30

SHA1
1a5183a281e43159948ce0d0c0b16723ef231db4

SHA256
dee0e705eda4636a762de38f6534aa6e8dde9b9d5dba7fa160352458b43f4ebf

SHA512
662661ac898d7057230cd0460828dabd497288b9a64be1e49440428ab45e3ae28aacf739f6996a148a4b85c9c50c142ba301aaae90d9087f1c0293dc68eaabf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/432-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/432-76-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/432-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/836-4-0x0000000077B91000-0x0000000077CB1000-memory.dmp

Filesize
1.1MB

Download
memory/836-10-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/836-2-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/1516-356-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/1516-354-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1516-362-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1516-12-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/1548-120-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/1548-118-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1548-127-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1896-208-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1896-206-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1896-215-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2400-296-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2400-290-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2400-289-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4032-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4032-162-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4204-488-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/4204-486-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4376-428-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4376-422-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/4376-420-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4388-34-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4388-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4388-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4388-455-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/4388-453-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4388-461-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4716-389-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/4716-387-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4716-395-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4752-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4752-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4952-321-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4952-323-0x0000000002130000-0x0000000002136000-memory.dmp

Filesize
24KB

Download
memory/4952-329-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download