Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
17/02/2025, 00:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
17 signatures
120 seconds
General
-
Target
fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe
-
Size
372KB
-
MD5
826a9ba4054ddefbefbbec33f9f77fa0
-
SHA1
7f3b0003d70d2f0aeb76424c8d2316a439e3a049
-
SHA256
fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2
-
SHA512
9b2dd1b4dc3dc094739381567be7eb63baf4ba82e4d8fc6eac8caf89598d24db8fbc23036ffba7599bb0dc336931b8946f9f74c89f3390cbbb0a68a71402c94d
-
SSDEEP
6144:tYdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhim:tiqQx+H2i+8LBNbdypazCXY
Score
10/10
Malware Config
Extracted
Family
remcos
Version
2.4.3 Pro
Botnet
TINo
C2
185.140.53.140:2404
Attributes
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5S9O07
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Remcos family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 63 4996 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation hab.exe Key value queried \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 64 IoCs
pid Process 4612 hab.exe 3088 hab.exe 1332 remcos.exe 2044 remcos.exe 5072 hab.exe 3580 hab.exe 4544 remcos.exe 3340 remcos.exe 3596 hab.exe 3064 hab.exe 1696 remcos.exe 3684 remcos.exe 2984 hab.exe 312 hab.exe 2044 remcos.exe 2756 remcos.exe 3976 hab.exe 4752 hab.exe 2864 remcos.exe 2936 remcos.exe 4308 hab.exe 2336 hab.exe 4788 remcos.exe 416 remcos.exe 3088 hab.exe 4432 hab.exe 2368 remcos.exe 2756 remcos.exe 4712 hab.exe 456 hab.exe 4608 remcos.exe 4728 remcos.exe 3036 hab.exe 1504 hab.exe 64 remcos.exe 4788 remcos.exe 2616 hab.exe 1788 hab.exe 4652 remcos.exe 4556 remcos.exe 1644 hab.exe 3252 hab.exe 3264 remcos.exe 3340 remcos.exe 3940 hab.exe 2336 hab.exe 3152 remcos.exe 2012 remcos.exe 3492 hab.exe 4996 hab.exe 2768 remcos.exe 1544 remcos.exe 4980 hab.exe 3232 hab.exe 3524 remcos.exe 3520 remcos.exe 2676 hab.exe 1864 hab.exe 2160 remcos.exe 3216 remcos.exe 3668 hab.exe 2044 hab.exe 2924 remcos.exe 2796 remcos.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\"" hab.exe Set value (str) \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" hab.exe -
Modifies WinLogon 2 TTPs 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ hab.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini remcos.exe File opened for modification C:\Windows\win.ini hab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3940 MicrosoftEdgeUpdate.exe -
Modifies registry class 42 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe Key created \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings hab.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4612 hab.exe 4612 hab.exe 3088 hab.exe 3088 hab.exe 1332 remcos.exe 1332 remcos.exe 2044 remcos.exe 2044 remcos.exe 5072 hab.exe 5072 hab.exe 3580 hab.exe 3580 hab.exe 4544 remcos.exe 4544 remcos.exe 3340 remcos.exe 3340 remcos.exe 3596 hab.exe 3596 hab.exe 3064 hab.exe 3064 hab.exe 1696 remcos.exe 1696 remcos.exe 3684 remcos.exe 3684 remcos.exe 2984 hab.exe 2984 hab.exe 312 hab.exe 312 hab.exe 2044 remcos.exe 2044 remcos.exe 2756 remcos.exe 2756 remcos.exe 3976 hab.exe 3976 hab.exe 4752 hab.exe 4752 hab.exe 2864 remcos.exe 2864 remcos.exe 2936 remcos.exe 2936 remcos.exe 4308 hab.exe 4308 hab.exe 2336 hab.exe 2336 hab.exe 4788 remcos.exe 4788 remcos.exe 416 remcos.exe 416 remcos.exe 3088 hab.exe 3088 hab.exe 4432 hab.exe 4432 hab.exe 2368 remcos.exe 2368 remcos.exe 2756 remcos.exe 2756 remcos.exe 4712 hab.exe 4712 hab.exe 456 hab.exe 456 hab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4612 hab.exe 4612 hab.exe 3088 hab.exe 3088 hab.exe 1332 remcos.exe 1332 remcos.exe 2044 remcos.exe 2044 remcos.exe 5072 hab.exe 5072 hab.exe 3580 hab.exe 3580 hab.exe 4544 remcos.exe 4544 remcos.exe 3340 remcos.exe 3340 remcos.exe 3596 hab.exe 3596 hab.exe 3064 hab.exe 3064 hab.exe 1696 remcos.exe 1696 remcos.exe 3684 remcos.exe 3684 remcos.exe 2984 hab.exe 2984 hab.exe 312 hab.exe 312 hab.exe 2044 remcos.exe 2044 remcos.exe 2756 remcos.exe 2756 remcos.exe 3976 hab.exe 3976 hab.exe 4752 hab.exe 4752 hab.exe 2864 remcos.exe 2864 remcos.exe 2936 remcos.exe 2936 remcos.exe 4308 hab.exe 4308 hab.exe 2336 hab.exe 2336 hab.exe 4788 remcos.exe 4788 remcos.exe 416 remcos.exe 416 remcos.exe 3088 hab.exe 3088 hab.exe 4432 hab.exe 4432 hab.exe 2368 remcos.exe 2368 remcos.exe 2756 remcos.exe 2756 remcos.exe 4712 hab.exe 4712 hab.exe 456 hab.exe 456 hab.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 4612 hab.exe 3088 hab.exe 1332 remcos.exe 2044 remcos.exe 5072 hab.exe 3580 hab.exe 4544 remcos.exe 3340 remcos.exe 3596 hab.exe 3064 hab.exe 1696 remcos.exe 3684 remcos.exe 2984 hab.exe 312 hab.exe 2044 remcos.exe 2756 remcos.exe 3976 hab.exe 4752 hab.exe 2864 remcos.exe 2936 remcos.exe 4308 hab.exe 2336 hab.exe 4788 remcos.exe 416 remcos.exe 3088 hab.exe 4432 hab.exe 2368 remcos.exe 2756 remcos.exe 4712 hab.exe 456 hab.exe 4608 remcos.exe 4728 remcos.exe 3036 hab.exe 1504 hab.exe 64 remcos.exe 4788 remcos.exe 2616 hab.exe 1788 hab.exe 4652 remcos.exe 4556 remcos.exe 1644 hab.exe 3252 hab.exe 3264 remcos.exe 3340 remcos.exe 3940 hab.exe 2336 hab.exe 3152 remcos.exe 2012 remcos.exe 3492 hab.exe 4996 hab.exe 2768 remcos.exe 1544 remcos.exe 4980 hab.exe 3232 hab.exe 3524 remcos.exe 3520 remcos.exe 2676 hab.exe 1864 hab.exe 2160 remcos.exe 3216 remcos.exe 3668 hab.exe 2044 hab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 4588 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 87 PID 2296 wrote to memory of 4588 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 87 PID 2296 wrote to memory of 4588 2296 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 87 PID 4588 wrote to memory of 4612 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 88 PID 4588 wrote to memory of 4612 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 88 PID 4588 wrote to memory of 4612 4588 fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe 88 PID 4612 wrote to memory of 3088 4612 hab.exe 90 PID 4612 wrote to memory of 3088 4612 hab.exe 90 PID 4612 wrote to memory of 3088 4612 hab.exe 90 PID 3088 wrote to memory of 1556 3088 hab.exe 92 PID 3088 wrote to memory of 1556 3088 hab.exe 92 PID 3088 wrote to memory of 1556 3088 hab.exe 92 PID 1556 wrote to memory of 2248 1556 WScript.exe 94 PID 1556 wrote to memory of 2248 1556 WScript.exe 94 PID 1556 wrote to memory of 2248 1556 WScript.exe 94 PID 2248 wrote to memory of 1332 2248 cmd.exe 96 PID 2248 wrote to memory of 1332 2248 cmd.exe 96 PID 2248 wrote to memory of 1332 2248 cmd.exe 96 PID 1332 wrote to memory of 2044 1332 remcos.exe 97 PID 1332 wrote to memory of 2044 1332 remcos.exe 97 PID 1332 wrote to memory of 2044 1332 remcos.exe 97 PID 2044 wrote to memory of 5072 2044 remcos.exe 98 PID 2044 wrote to memory of 5072 2044 remcos.exe 98 PID 2044 wrote to memory of 5072 2044 remcos.exe 98 PID 5072 wrote to memory of 3580 5072 hab.exe 99 PID 5072 wrote to memory of 3580 5072 hab.exe 99 PID 5072 wrote to memory of 3580 5072 hab.exe 99 PID 3580 wrote to memory of 1520 3580 hab.exe 100 PID 3580 wrote to memory of 1520 3580 hab.exe 100 PID 3580 wrote to memory of 1520 3580 hab.exe 100 PID 1520 wrote to memory of 4620 1520 WScript.exe 101 PID 1520 wrote to memory of 4620 1520 WScript.exe 101 PID 1520 wrote to memory of 4620 1520 WScript.exe 101 PID 4620 wrote to memory of 4544 4620 cmd.exe 103 PID 4620 wrote to memory of 4544 4620 cmd.exe 103 PID 4620 wrote to memory of 4544 4620 cmd.exe 103 PID 4544 wrote to memory of 3340 4544 remcos.exe 104 PID 4544 wrote to memory of 3340 4544 remcos.exe 104 PID 4544 wrote to memory of 3340 4544 remcos.exe 104 PID 3340 wrote to memory of 3596 3340 remcos.exe 105 PID 3340 wrote to memory of 3596 3340 remcos.exe 105 PID 3340 wrote to memory of 3596 3340 remcos.exe 105 PID 3596 wrote to memory of 3064 3596 hab.exe 106 PID 3596 wrote to memory of 3064 3596 hab.exe 106 PID 3596 wrote to memory of 3064 3596 hab.exe 106 PID 3064 wrote to memory of 3700 3064 hab.exe 107 PID 3064 wrote to memory of 3700 3064 hab.exe 107 PID 3064 wrote to memory of 3700 3064 hab.exe 107 PID 3700 wrote to memory of 4872 3700 WScript.exe 108 PID 3700 wrote to memory of 4872 3700 WScript.exe 108 PID 3700 wrote to memory of 4872 3700 WScript.exe 108 PID 4872 wrote to memory of 1696 4872 cmd.exe 110 PID 4872 wrote to memory of 1696 4872 cmd.exe 110 PID 4872 wrote to memory of 1696 4872 cmd.exe 110 PID 1696 wrote to memory of 3684 1696 remcos.exe 111 PID 1696 wrote to memory of 3684 1696 remcos.exe 111 PID 1696 wrote to memory of 3684 1696 remcos.exe 111 PID 3684 wrote to memory of 2984 3684 remcos.exe 112 PID 3684 wrote to memory of 2984 3684 remcos.exe 112 PID 3684 wrote to memory of 2984 3684 remcos.exe 112 PID 2984 wrote to memory of 312 2984 hab.exe 115 PID 2984 wrote to memory of 312 2984 hab.exe 115 PID 2984 wrote to memory of 312 2984 hab.exe 115 PID 312 wrote to memory of 60 312 hab.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe"C:\Users\Admin\AppData\Local\Temp\fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe"C:\Users\Admin\AppData\Local\Temp\fc8eae261230d96b4e741c1d8bde7bfb90182562bacd7e1b698d34aa820de0d2N.exe"2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"15⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"18⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"23⤵PID:60
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"24⤵PID:4804
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"29⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"30⤵PID:2604
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe31⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe32⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"35⤵
- Checks computer location settings
PID:3552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"36⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe37⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:416 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"41⤵
- Checks computer location settings
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"42⤵PID:2768
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe43⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe44⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"47⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"48⤵PID:3292
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4608 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"53⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"54⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe55⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"59⤵PID:4432
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"60⤵PID:4220
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4652 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3252 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"65⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"66⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe67⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3264 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe68⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"69⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"71⤵PID:408
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"72⤵PID:1744
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"75⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"76⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"77⤵PID:532
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"78⤵PID:3564
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe79⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe80⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"81⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"82⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3232 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"83⤵
- Checks computer location settings
PID:3548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"84⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe86⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"87⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"88⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"89⤵
- Checks computer location settings
PID:3224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"90⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe91⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe92⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"93⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"94⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"95⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"96⤵PID:32
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe97⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe98⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"99⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"100⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"101⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"102⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe103⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe104⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"105⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"106⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"107⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"108⤵
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe109⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe110⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"111⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"112⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies WinLogon
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"113⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"114⤵PID:4972
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe115⤵
- Drops file in Windows directory
PID:5072 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe116⤵
- Checks computer location settings
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"117⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"118⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"119⤵
- Checks computer location settings
PID:3528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"120⤵PID:3644
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-