Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
16/02/2025, 18:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
17 signatures
120 seconds
General
-
Target
c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe
-
Size
372KB
-
MD5
b52779497b912f5b58c9f1713bf7a4e0
-
SHA1
15842a82d1b7b6a4016d6492e126a1e0379eabcd
-
SHA256
c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496
-
SHA512
5ae97636030e074d3ce5642e90a4309cae0f36763fbce33b086487afd9dcd0951bfc1af42d69928a83404baf921e5d341cd7e6e670e4d67e0e0fcb4953174dd7
-
SSDEEP
6144:t8dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhi+:t2qQx+H2i+8LBNbdypazCXY
Score
10/10
Malware Config
Extracted
Family
remcos
Version
2.4.3 Pro
Botnet
TINo
C2
185.140.53.140:2404
Attributes
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5S9O07
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Remcos family
-
Downloads MZ/PE file 2 IoCs
flow pid Process 57 4812 Process not Found 82 3160 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation remcos.exe -
Executes dropped EXE 64 IoCs
pid Process 4248 hab.exe 4972 hab.exe 4568 remcos.exe 4768 remcos.exe 3436 hab.exe 3148 hab.exe 3484 remcos.exe 1216 remcos.exe 4576 hab.exe 1692 hab.exe 4688 remcos.exe 440 remcos.exe 1952 hab.exe 2056 hab.exe 4600 remcos.exe 2876 remcos.exe 4496 hab.exe 3172 hab.exe 1568 remcos.exe 936 remcos.exe 4700 hab.exe 3832 hab.exe 5032 remcos.exe 2084 remcos.exe 2056 hab.exe 5068 hab.exe 60 remcos.exe 3704 remcos.exe 4200 hab.exe 4392 hab.exe 2948 remcos.exe 1172 remcos.exe 4380 hab.exe 4284 hab.exe 4752 remcos.exe 4928 remcos.exe 1908 hab.exe 3364 hab.exe 3212 remcos.exe 3920 remcos.exe 876 hab.exe 4392 hab.exe 2384 remcos.exe 824 remcos.exe 2324 hab.exe 4868 hab.exe 4756 remcos.exe 456 remcos.exe 4564 hab.exe 2584 hab.exe 4880 remcos.exe 4992 remcos.exe 3528 hab.exe 1628 hab.exe 1624 remcos.exe 4432 remcos.exe 2544 hab.exe 2632 hab.exe 5032 remcos.exe 1304 remcos.exe 3276 hab.exe 3820 hab.exe 3520 remcos.exe 4696 remcos.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Modifies WinLogon 2 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1424 MicrosoftEdgeUpdate.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings hab.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 4248 hab.exe 4248 hab.exe 4972 hab.exe 4972 hab.exe 4568 remcos.exe 4568 remcos.exe 4768 remcos.exe 4768 remcos.exe 3436 hab.exe 3436 hab.exe 3148 hab.exe 3148 hab.exe 3484 remcos.exe 3484 remcos.exe 1216 remcos.exe 1216 remcos.exe 4576 hab.exe 4576 hab.exe 1692 hab.exe 1692 hab.exe 4688 remcos.exe 4688 remcos.exe 440 remcos.exe 440 remcos.exe 1952 hab.exe 1952 hab.exe 2056 hab.exe 2056 hab.exe 4600 remcos.exe 4600 remcos.exe 2876 remcos.exe 2876 remcos.exe 4496 hab.exe 4496 hab.exe 3172 hab.exe 3172 hab.exe 1568 remcos.exe 1568 remcos.exe 936 remcos.exe 936 remcos.exe 4700 hab.exe 4700 hab.exe 3832 hab.exe 3832 hab.exe 5032 remcos.exe 5032 remcos.exe 2084 remcos.exe 2084 remcos.exe 2056 hab.exe 2056 hab.exe 5068 hab.exe 5068 hab.exe 60 remcos.exe 60 remcos.exe 3704 remcos.exe 3704 remcos.exe 4200 hab.exe 4200 hab.exe 4392 hab.exe 4392 hab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 4248 hab.exe 4248 hab.exe 4972 hab.exe 4972 hab.exe 4568 remcos.exe 4568 remcos.exe 4768 remcos.exe 4768 remcos.exe 3436 hab.exe 3436 hab.exe 3148 hab.exe 3148 hab.exe 3484 remcos.exe 3484 remcos.exe 1216 remcos.exe 1216 remcos.exe 4576 hab.exe 4576 hab.exe 1692 hab.exe 1692 hab.exe 4688 remcos.exe 4688 remcos.exe 440 remcos.exe 440 remcos.exe 1952 hab.exe 1952 hab.exe 2056 hab.exe 2056 hab.exe 4600 remcos.exe 4600 remcos.exe 2876 remcos.exe 2876 remcos.exe 4496 hab.exe 4496 hab.exe 3172 hab.exe 3172 hab.exe 1568 remcos.exe 1568 remcos.exe 936 remcos.exe 936 remcos.exe 4700 hab.exe 4700 hab.exe 3832 hab.exe 3832 hab.exe 5032 remcos.exe 5032 remcos.exe 2084 remcos.exe 2084 remcos.exe 2056 hab.exe 2056 hab.exe 5068 hab.exe 5068 hab.exe 60 remcos.exe 60 remcos.exe 3704 remcos.exe 3704 remcos.exe 4200 hab.exe 4200 hab.exe 4392 hab.exe 4392 hab.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 4248 hab.exe 4972 hab.exe 4568 remcos.exe 4768 remcos.exe 3436 hab.exe 3148 hab.exe 3484 remcos.exe 1216 remcos.exe 4576 hab.exe 1692 hab.exe 4688 remcos.exe 440 remcos.exe 1952 hab.exe 2056 hab.exe 4600 remcos.exe 2876 remcos.exe 4496 hab.exe 3172 hab.exe 1568 remcos.exe 936 remcos.exe 4700 hab.exe 3832 hab.exe 5032 remcos.exe 2084 remcos.exe 2056 hab.exe 5068 hab.exe 60 remcos.exe 3704 remcos.exe 4200 hab.exe 4392 hab.exe 2948 remcos.exe 1172 remcos.exe 4380 hab.exe 4284 hab.exe 4752 remcos.exe 4928 remcos.exe 1908 hab.exe 3364 hab.exe 3212 remcos.exe 3920 remcos.exe 876 hab.exe 4392 hab.exe 2384 remcos.exe 824 remcos.exe 2324 hab.exe 4868 hab.exe 4756 remcos.exe 456 remcos.exe 4564 hab.exe 2584 hab.exe 4880 remcos.exe 4992 remcos.exe 1628 hab.exe 1624 remcos.exe 4432 remcos.exe 2544 hab.exe 2632 hab.exe 5032 remcos.exe 1304 remcos.exe 3276 hab.exe 3820 hab.exe 3520 remcos.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 936 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 87 PID 1568 wrote to memory of 936 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 87 PID 1568 wrote to memory of 936 1568 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 87 PID 936 wrote to memory of 4248 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 88 PID 936 wrote to memory of 4248 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 88 PID 936 wrote to memory of 4248 936 c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe 88 PID 4248 wrote to memory of 4972 4248 hab.exe 91 PID 4248 wrote to memory of 4972 4248 hab.exe 91 PID 4248 wrote to memory of 4972 4248 hab.exe 91 PID 4972 wrote to memory of 4156 4972 hab.exe 93 PID 4972 wrote to memory of 4156 4972 hab.exe 93 PID 4972 wrote to memory of 4156 4972 hab.exe 93 PID 4156 wrote to memory of 1500 4156 WScript.exe 94 PID 4156 wrote to memory of 1500 4156 WScript.exe 94 PID 4156 wrote to memory of 1500 4156 WScript.exe 94 PID 1500 wrote to memory of 4568 1500 cmd.exe 96 PID 1500 wrote to memory of 4568 1500 cmd.exe 96 PID 1500 wrote to memory of 4568 1500 cmd.exe 96 PID 4568 wrote to memory of 4768 4568 remcos.exe 97 PID 4568 wrote to memory of 4768 4568 remcos.exe 97 PID 4568 wrote to memory of 4768 4568 remcos.exe 97 PID 4768 wrote to memory of 3436 4768 remcos.exe 98 PID 4768 wrote to memory of 3436 4768 remcos.exe 98 PID 4768 wrote to memory of 3436 4768 remcos.exe 98 PID 3436 wrote to memory of 3148 3436 hab.exe 99 PID 3436 wrote to memory of 3148 3436 hab.exe 99 PID 3436 wrote to memory of 3148 3436 hab.exe 99 PID 3148 wrote to memory of 2648 3148 hab.exe 100 PID 3148 wrote to memory of 2648 3148 hab.exe 100 PID 3148 wrote to memory of 2648 3148 hab.exe 100 PID 2648 wrote to memory of 2808 2648 WScript.exe 103 PID 2648 wrote to memory of 2808 2648 WScript.exe 103 PID 2648 wrote to memory of 2808 2648 WScript.exe 103 PID 2808 wrote to memory of 3484 2808 cmd.exe 105 PID 2808 wrote to memory of 3484 2808 cmd.exe 105 PID 2808 wrote to memory of 3484 2808 cmd.exe 105 PID 3484 wrote to memory of 1216 3484 remcos.exe 108 PID 3484 wrote to memory of 1216 3484 remcos.exe 108 PID 3484 wrote to memory of 1216 3484 remcos.exe 108 PID 1216 wrote to memory of 4576 1216 remcos.exe 109 PID 1216 wrote to memory of 4576 1216 remcos.exe 109 PID 1216 wrote to memory of 4576 1216 remcos.exe 109 PID 4576 wrote to memory of 1692 4576 hab.exe 110 PID 4576 wrote to memory of 1692 4576 hab.exe 110 PID 4576 wrote to memory of 1692 4576 hab.exe 110 PID 1692 wrote to memory of 1040 1692 hab.exe 111 PID 1692 wrote to memory of 1040 1692 hab.exe 111 PID 1692 wrote to memory of 1040 1692 hab.exe 111 PID 1040 wrote to memory of 3032 1040 WScript.exe 112 PID 1040 wrote to memory of 3032 1040 WScript.exe 112 PID 1040 wrote to memory of 3032 1040 WScript.exe 112 PID 3032 wrote to memory of 4688 3032 cmd.exe 114 PID 3032 wrote to memory of 4688 3032 cmd.exe 114 PID 3032 wrote to memory of 4688 3032 cmd.exe 114 PID 4688 wrote to memory of 440 4688 remcos.exe 116 PID 4688 wrote to memory of 440 4688 remcos.exe 116 PID 4688 wrote to memory of 440 4688 remcos.exe 116 PID 440 wrote to memory of 1952 440 remcos.exe 117 PID 440 wrote to memory of 1952 440 remcos.exe 117 PID 440 wrote to memory of 1952 440 remcos.exe 117 PID 1952 wrote to memory of 2056 1952 hab.exe 118 PID 1952 wrote to memory of 2056 1952 hab.exe 118 PID 1952 wrote to memory of 2056 1952 hab.exe 118 PID 2056 wrote to memory of 752 2056 hab.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe"C:\Users\Admin\AppData\Local\Temp\c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe"C:\Users\Admin\AppData\Local\Temp\c3a763655dbd277ce4f256c3567fd8523574d848e21181387b3dc047e79f1496N.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"17⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"18⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"21⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"23⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"24⤵PID:2312
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4600 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"29⤵
- Checks computer location settings
PID:3388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"30⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe31⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe32⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:936 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"35⤵
- Checks computer location settings
PID:3728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"36⤵PID:5100
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe37⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe38⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"41⤵PID:3436
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"42⤵PID:3212
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:60 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe44⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"47⤵
- Checks computer location settings
PID:3400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"48⤵PID:4092
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4284 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"53⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"54⤵PID:232
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe55⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3364 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"59⤵
- Checks computer location settings
PID:216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"60⤵PID:960
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe61⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3212 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"65⤵
- Checks computer location settings
PID:4168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"66⤵PID:2636
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe67⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe68⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:824 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"69⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"70⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"71⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"72⤵PID:4088
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe73⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe74⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"75⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"76⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"77⤵PID:2368
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"78⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4880 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe80⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"81⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"82⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"83⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"84⤵PID:3968
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe85⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe86⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"87⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"88⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"89⤵PID:232
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"90⤵PID:2892
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe92⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"93⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"94⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"95⤵
- Checks computer location settings
PID:2876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"96⤵
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3520 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe98⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"99⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"100⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"101⤵
- Checks computer location settings
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"102⤵
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe103⤵PID:4472
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe104⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"105⤵
- Adds Run key to start application
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"106⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"107⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"108⤵PID:3588
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe109⤵
- Drops file in Windows directory
PID:5032 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe110⤵
- Drops file in Windows directory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"111⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"112⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"113⤵PID:828
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"114⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe115⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe116⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"117⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"119⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"120⤵PID:2636
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe121⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-