Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2025, 20:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe
Resource
win10v2004-20250211-en
windows10-2004-x64
17 signatures
120 seconds
General
-
Target
c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe
-
Size
372KB
-
MD5
0584ef509a2985388eebbc0c1968dd60
-
SHA1
74f0ff2cf1e9757b35c52357e202864b93470a1a
-
SHA256
c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068
-
SHA512
6bd4b1f4d15a84d9bc12864c24abba384fabd89c69a9a7b37ea0f551b6b8237bc339e5c4f2932cdd422aca2efb1cb00ca0c034f0cfa9dc23e16257f39f294c2d
-
SSDEEP
6144:t0dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiG:t+qQx+H2i+8LBNbdypazCXY
Score
10/10
Malware Config
Extracted
Family
remcos
Version
2.4.3 Pro
Botnet
TINo
C2
185.140.53.140:2404
Attributes
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5S9O07
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Remcos family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 42 3284 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation hab.exe -
Executes dropped EXE 64 IoCs
pid Process 2724 hab.exe 408 hab.exe 3888 remcos.exe 3128 remcos.exe 5064 hab.exe 2120 hab.exe 4516 remcos.exe 768 remcos.exe 4400 hab.exe 540 hab.exe 3572 remcos.exe 1404 remcos.exe 3060 hab.exe 4412 hab.exe 3360 remcos.exe 3576 remcos.exe 4764 hab.exe 2420 hab.exe 5100 remcos.exe 3840 remcos.exe 4388 hab.exe 3900 hab.exe 644 remcos.exe 1836 remcos.exe 3884 hab.exe 4776 hab.exe 3748 remcos.exe 452 remcos.exe 1668 hab.exe 3028 hab.exe 2488 remcos.exe 832 remcos.exe 1908 hab.exe 2584 hab.exe 556 remcos.exe 1508 remcos.exe 2964 hab.exe 4280 hab.exe 3272 remcos.exe 3420 remcos.exe 1836 hab.exe 2732 hab.exe 4844 remcos.exe 5048 remcos.exe 452 hab.exe 2684 hab.exe 4176 remcos.exe 2708 remcos.exe 3492 hab.exe 1188 hab.exe 1540 remcos.exe 4580 remcos.exe 1844 hab.exe 2080 hab.exe 1764 remcos.exe 3560 remcos.exe 4624 hab.exe 4260 hab.exe 2936 remcos.exe 3460 remcos.exe 1768 hab.exe 988 hab.exe 4416 remcos.exe 4604 remcos.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Modifies WinLogon 2 TTPs 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 980 MicrosoftEdgeUpdate.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings hab.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 2724 hab.exe 2724 hab.exe 408 hab.exe 408 hab.exe 3888 remcos.exe 3888 remcos.exe 3128 remcos.exe 3128 remcos.exe 5064 hab.exe 5064 hab.exe 2120 hab.exe 2120 hab.exe 4516 remcos.exe 4516 remcos.exe 768 remcos.exe 768 remcos.exe 4400 hab.exe 4400 hab.exe 540 hab.exe 540 hab.exe 3572 remcos.exe 3572 remcos.exe 1404 remcos.exe 1404 remcos.exe 3060 hab.exe 3060 hab.exe 4412 hab.exe 4412 hab.exe 3360 remcos.exe 3360 remcos.exe 3576 remcos.exe 3576 remcos.exe 4764 hab.exe 4764 hab.exe 2420 hab.exe 2420 hab.exe 5100 remcos.exe 5100 remcos.exe 3840 remcos.exe 3840 remcos.exe 4388 hab.exe 4388 hab.exe 3900 hab.exe 3900 hab.exe 644 remcos.exe 644 remcos.exe 1836 remcos.exe 1836 remcos.exe 3884 hab.exe 3884 hab.exe 4776 hab.exe 4776 hab.exe 3748 remcos.exe 3748 remcos.exe 452 remcos.exe 452 remcos.exe 1668 hab.exe 1668 hab.exe 3028 hab.exe 3028 hab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 2724 hab.exe 2724 hab.exe 408 hab.exe 408 hab.exe 3888 remcos.exe 3888 remcos.exe 3128 remcos.exe 3128 remcos.exe 5064 hab.exe 5064 hab.exe 2120 hab.exe 2120 hab.exe 4516 remcos.exe 4516 remcos.exe 768 remcos.exe 768 remcos.exe 4400 hab.exe 4400 hab.exe 540 hab.exe 540 hab.exe 3572 remcos.exe 3572 remcos.exe 1404 remcos.exe 1404 remcos.exe 3060 hab.exe 3060 hab.exe 4412 hab.exe 4412 hab.exe 3360 remcos.exe 3360 remcos.exe 3576 remcos.exe 3576 remcos.exe 4764 hab.exe 4764 hab.exe 2420 hab.exe 2420 hab.exe 5100 remcos.exe 5100 remcos.exe 3840 remcos.exe 3840 remcos.exe 4388 hab.exe 4388 hab.exe 3900 hab.exe 3900 hab.exe 644 remcos.exe 644 remcos.exe 1836 remcos.exe 1836 remcos.exe 3884 hab.exe 3884 hab.exe 4776 hab.exe 4776 hab.exe 3748 remcos.exe 3748 remcos.exe 452 remcos.exe 452 remcos.exe 1668 hab.exe 1668 hab.exe 3028 hab.exe 3028 hab.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 2724 hab.exe 408 hab.exe 3888 remcos.exe 3128 remcos.exe 5064 hab.exe 2120 hab.exe 4516 remcos.exe 768 remcos.exe 4400 hab.exe 540 hab.exe 3572 remcos.exe 1404 remcos.exe 3060 hab.exe 4412 hab.exe 3360 remcos.exe 3576 remcos.exe 4764 hab.exe 2420 hab.exe 5100 remcos.exe 3840 remcos.exe 4388 hab.exe 3900 hab.exe 644 remcos.exe 1836 remcos.exe 3884 hab.exe 4776 hab.exe 3748 remcos.exe 452 remcos.exe 1668 hab.exe 3028 hab.exe 2488 remcos.exe 832 remcos.exe 1908 hab.exe 2584 hab.exe 556 remcos.exe 1508 remcos.exe 2964 hab.exe 4280 hab.exe 3272 remcos.exe 3420 remcos.exe 1836 hab.exe 2732 hab.exe 4844 remcos.exe 5048 remcos.exe 452 hab.exe 2684 hab.exe 4176 remcos.exe 2708 remcos.exe 3492 hab.exe 1188 hab.exe 1540 remcos.exe 4580 remcos.exe 1844 hab.exe 2080 hab.exe 1764 remcos.exe 3560 remcos.exe 4624 hab.exe 4260 hab.exe 2936 remcos.exe 3460 remcos.exe 1768 hab.exe 988 hab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4588 wrote to memory of 840 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 85 PID 4588 wrote to memory of 840 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 85 PID 4588 wrote to memory of 840 4588 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 85 PID 840 wrote to memory of 2724 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 87 PID 840 wrote to memory of 2724 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 87 PID 840 wrote to memory of 2724 840 c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe 87 PID 2724 wrote to memory of 408 2724 hab.exe 89 PID 2724 wrote to memory of 408 2724 hab.exe 89 PID 2724 wrote to memory of 408 2724 hab.exe 89 PID 408 wrote to memory of 1576 408 hab.exe 91 PID 408 wrote to memory of 1576 408 hab.exe 91 PID 408 wrote to memory of 1576 408 hab.exe 91 PID 1576 wrote to memory of 4748 1576 WScript.exe 92 PID 1576 wrote to memory of 4748 1576 WScript.exe 92 PID 1576 wrote to memory of 4748 1576 WScript.exe 92 PID 4748 wrote to memory of 3888 4748 cmd.exe 94 PID 4748 wrote to memory of 3888 4748 cmd.exe 94 PID 4748 wrote to memory of 3888 4748 cmd.exe 94 PID 3888 wrote to memory of 3128 3888 remcos.exe 95 PID 3888 wrote to memory of 3128 3888 remcos.exe 95 PID 3888 wrote to memory of 3128 3888 remcos.exe 95 PID 3128 wrote to memory of 5064 3128 remcos.exe 96 PID 3128 wrote to memory of 5064 3128 remcos.exe 96 PID 3128 wrote to memory of 5064 3128 remcos.exe 96 PID 5064 wrote to memory of 2120 5064 hab.exe 97 PID 5064 wrote to memory of 2120 5064 hab.exe 97 PID 5064 wrote to memory of 2120 5064 hab.exe 97 PID 2120 wrote to memory of 2528 2120 hab.exe 98 PID 2120 wrote to memory of 2528 2120 hab.exe 98 PID 2120 wrote to memory of 2528 2120 hab.exe 98 PID 2528 wrote to memory of 4932 2528 WScript.exe 99 PID 2528 wrote to memory of 4932 2528 WScript.exe 99 PID 2528 wrote to memory of 4932 2528 WScript.exe 99 PID 4932 wrote to memory of 4516 4932 cmd.exe 101 PID 4932 wrote to memory of 4516 4932 cmd.exe 101 PID 4932 wrote to memory of 4516 4932 cmd.exe 101 PID 4516 wrote to memory of 768 4516 remcos.exe 102 PID 4516 wrote to memory of 768 4516 remcos.exe 102 PID 4516 wrote to memory of 768 4516 remcos.exe 102 PID 768 wrote to memory of 4400 768 remcos.exe 103 PID 768 wrote to memory of 4400 768 remcos.exe 103 PID 768 wrote to memory of 4400 768 remcos.exe 103 PID 4400 wrote to memory of 540 4400 hab.exe 104 PID 4400 wrote to memory of 540 4400 hab.exe 104 PID 4400 wrote to memory of 540 4400 hab.exe 104 PID 540 wrote to memory of 2832 540 hab.exe 105 PID 540 wrote to memory of 2832 540 hab.exe 105 PID 540 wrote to memory of 2832 540 hab.exe 105 PID 2832 wrote to memory of 4376 2832 WScript.exe 106 PID 2832 wrote to memory of 4376 2832 WScript.exe 106 PID 2832 wrote to memory of 4376 2832 WScript.exe 106 PID 4376 wrote to memory of 3572 4376 cmd.exe 108 PID 4376 wrote to memory of 3572 4376 cmd.exe 108 PID 4376 wrote to memory of 3572 4376 cmd.exe 108 PID 3572 wrote to memory of 1404 3572 remcos.exe 109 PID 3572 wrote to memory of 1404 3572 remcos.exe 109 PID 3572 wrote to memory of 1404 3572 remcos.exe 109 PID 1404 wrote to memory of 3060 1404 remcos.exe 110 PID 1404 wrote to memory of 3060 1404 remcos.exe 110 PID 1404 wrote to memory of 3060 1404 remcos.exe 110 PID 3060 wrote to memory of 4412 3060 hab.exe 111 PID 3060 wrote to memory of 4412 3060 hab.exe 111 PID 3060 wrote to memory of 4412 3060 hab.exe 111 PID 4412 wrote to memory of 2216 4412 hab.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe"C:\Users\Admin\AppData\Local\Temp\c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe"C:\Users\Admin\AppData\Local\Temp\c641b4e62e4293ba8fa41b74caf44a8e353ac382efa05fa5bf5d097d24863068N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"18⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"23⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"24⤵PID:4232
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"27⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"29⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"30⤵PID:4052
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe31⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5100 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe32⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3900 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"35⤵
- Checks computer location settings
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"36⤵PID:3420
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:644 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4776 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"41⤵
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"42⤵PID:5048
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe43⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3748 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"47⤵
- Checks computer location settings
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"48⤵PID:1956
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe50⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"53⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"54⤵PID:2624
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:556 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"59⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"60⤵PID:1852
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"65⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"66⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe67⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe68⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"69⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"71⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"72⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe73⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4176 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"75⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"76⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"77⤵
- Checks computer location settings
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"78⤵PID:3900
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe80⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"81⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"82⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"83⤵PID:4672
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"84⤵PID:4220
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe86⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"87⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"88⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4260 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"89⤵
- Checks computer location settings
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"90⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe91⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"93⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"94⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:988 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"95⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"96⤵PID:2456
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe98⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"99⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"100⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"101⤵PID:4848
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"102⤵PID:392
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe103⤵
- Drops file in Windows directory
PID:1540 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe104⤵
- Drops file in Windows directory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"105⤵
- Adds Run key to start application
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"106⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies WinLogon
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"107⤵PID:3420
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"108⤵PID:4396
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe109⤵
- Drops file in Windows directory
PID:4728 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe110⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"111⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"112⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"113⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"114⤵PID:1556
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe115⤵
- Drops file in Windows directory
PID:4424 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe116⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"117⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"119⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"120⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe121⤵
- Drops file in Windows directory
PID:4276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-