remcos | f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
Size

372KB
MD5

3a94a2a8c0dbf1c0752ddbb015854618
SHA1

88b4fa506a9b0d1387c3d1649bb5aa1e106687b4
SHA256

f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75
SHA512

0b63d8ac51088d2b1b434e72c22f7ce394b89757eb7e16c1dd672e3e8a7d2443daf2e1f48b8cf23c8aba142f7d257cd1dd70bc5860b2cba5f9bb52be69b044a8
SSDEEP

6144:t8dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhi+O:t2qQx+H2i+8LBNbdypazCXYQ

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 64 IoCs

pid	Process
2116	hab.exe
2696	hab.exe
2760	remcos.exe
2608	remcos.exe
1044	hab.exe
524	hab.exe
2844	remcos.exe
2912	remcos.exe
1708	hab.exe
1028	hab.exe
1944	remcos.exe
1060	remcos.exe
440	hab.exe
1320	hab.exe
924	remcos.exe
1852	remcos.exe
1724	hab.exe
852	hab.exe
2004	remcos.exe
2084	remcos.exe
1680	hab.exe
1972	hab.exe
2796	remcos.exe
2892	remcos.exe
2620	hab.exe
1984	hab.exe
1884	remcos.exe
1632	remcos.exe
1092	hab.exe
524	hab.exe
2964	remcos.exe
1676	remcos.exe
1452	hab.exe
2316	hab.exe
1812	remcos.exe
1372	remcos.exe
1644	hab.exe
1148	hab.exe
2168	remcos.exe
1120	remcos.exe
660	hab.exe
2552	hab.exe
1756	remcos.exe
2016	remcos.exe
2500	hab.exe
2416	hab.exe
2812	remcos.exe
2676	remcos.exe
2772	hab.exe
2996	hab.exe
2644	remcos.exe
2612	remcos.exe
980	hab.exe
2432	hab.exe
2908	remcos.exe
1364	remcos.exe
2680	hab.exe
3040	hab.exe
1040	remcos.exe
1496	remcos.exe
1060	hab.exe
1960	hab.exe
612	remcos.exe
1656	remcos.exe

Loads dropped DLL 64 IoCs

pid	Process
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2116	hab.exe
2800	cmd.exe
2800	cmd.exe
2608	remcos.exe
2608	remcos.exe
1044	hab.exe
2848	cmd.exe
2848	cmd.exe
2912	remcos.exe
2912	remcos.exe
1708	hab.exe
2092	cmd.exe
2092	cmd.exe
1060	remcos.exe
1060	remcos.exe
440	hab.exe
1636	cmd.exe
1636	cmd.exe
1852	remcos.exe
1852	remcos.exe
1724	hab.exe
2096	cmd.exe
2096	cmd.exe
2084	remcos.exe
2084	remcos.exe
1680	hab.exe
2772	cmd.exe
2772	cmd.exe
2892	remcos.exe
2892	remcos.exe
2620	hab.exe
1256	cmd.exe
1256	cmd.exe
1632	remcos.exe
1632	remcos.exe
1092	hab.exe
2680	cmd.exe
2680	cmd.exe
1676	remcos.exe
1676	remcos.exe
1452	hab.exe
2248	cmd.exe
2248	cmd.exe
1372	remcos.exe
1372	remcos.exe
1644	hab.exe
1844	cmd.exe
1844	cmd.exe
1120	remcos.exe
1120	remcos.exe
660	hab.exe
2952	cmd.exe
2952	cmd.exe
2016	remcos.exe
2016	remcos.exe
2500	hab.exe
2032	cmd.exe
2032	cmd.exe
2676	remcos.exe
2676	remcos.exe
2772	hab.exe
2664	cmd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Modifies WinLogon 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2396	2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	30
PID 2116 set thread context of 2696	2116	hab.exe	32
PID 2760 set thread context of 2608	2760	remcos.exe	37
PID 1044 set thread context of 524	1044	hab.exe	39
PID 2844 set thread context of 2912	2844	remcos.exe	44
PID 1708 set thread context of 1028	1708	hab.exe	46
PID 1944 set thread context of 1060	1944	remcos.exe	51
PID 440 set thread context of 1320	440	hab.exe	53
PID 924 set thread context of 1852	924	remcos.exe	58
PID 1724 set thread context of 852	1724	hab.exe	60
PID 1680 set thread context of 1972	1680	hab.exe	67
PID 2796 set thread context of 2892	2796	remcos.exe	72
PID 2620 set thread context of 1984	2620	hab.exe	74
PID 1884 set thread context of 1632	1884	remcos.exe	79
PID 1092 set thread context of 524	1092	hab.exe	81
PID 2964 set thread context of 1676	2964	remcos.exe	86
PID 1452 set thread context of 2316	1452	hab.exe	88
PID 1812 set thread context of 1372	1812	remcos.exe	94
PID 1644 set thread context of 1148	1644	hab.exe	96
PID 2168 set thread context of 1120	2168	remcos.exe	101
PID 660 set thread context of 2552	660	hab.exe	103
PID 1756 set thread context of 2016	1756	remcos.exe	108
PID 2500 set thread context of 2416	2500	hab.exe	110
PID 2812 set thread context of 2676	2812	remcos.exe	115
PID 2772 set thread context of 2996	2772	hab.exe	117
PID 2644 set thread context of 2612	2644	remcos.exe	122
PID 980 set thread context of 2432	980	hab.exe	124
PID 2908 set thread context of 1364	2908	remcos.exe	129
PID 2680 set thread context of 3040	2680	hab.exe	131
PID 1040 set thread context of 1496	1040	remcos.exe	136
PID 1060 set thread context of 1960	1060	hab.exe	138
PID 612 set thread context of 1656	612	remcos.exe	143
PID 924 set thread context of 944	924	hab.exe	145
PID 1920 set thread context of 2428	1920	remcos.exe	150
PID 1928 set thread context of 2128	1928	hab.exe	152
PID 2684 set thread context of 1964	2684	remcos.exe	157
PID 2740 set thread context of 2988	2740	hab.exe	159
PID 2872 set thread context of 2764	2872	remcos.exe	164
PID 1884 set thread context of 1256	1884	hab.exe	166
PID 1516 set thread context of 1456	1516	remcos.exe	171
PID 2928 set thread context of 2276	2928	hab.exe	173
PID 984 set thread context of 3000	984	remcos.exe	178
PID 2804 set thread context of 1944	2804	hab.exe	180
PID 1604 set thread context of 2000	1604	remcos.exe	185
PID 756 set thread context of 1844	756	hab.exe	187
PID 2052 set thread context of 2180	2052	remcos.exe	192
PID 2372 set thread context of 1596	2372	hab.exe	194
PID 2364 set thread context of 2312	2364	remcos.exe	199
PID 2700 set thread context of 1972	2700	hab.exe	201
PID 2988 set thread context of 2216	2988	remcos.exe	206
PID 2240 set thread context of 2624	2240	hab.exe	208
PID 980 set thread context of 2924	980	remcos.exe	213
PID 1968 set thread context of 2692	1968	hab.exe	215
PID 1452 set thread context of 2680	1452	remcos.exe	220
PID 792 set thread context of 752	792	hab.exe	222
PID 1304 set thread context of 1352	1304	remcos.exe	227
PID 2480 set thread context of 1604	2480	hab.exe	229
PID 2504 set thread context of 1844	2504	remcos.exe	234
PID 1724 set thread context of 1524	1724	hab.exe	236
PID 1584 set thread context of 2484	1584	remcos.exe	241
PID 2540 set thread context of 1076	2540	hab.exe	243
PID 2780 set thread context of 2716	2780	remcos.exe	248
PID 2880 set thread context of 2772	2880	hab.exe	250
PID 2012 set thread context of 2828	2012	remcos.exe	255

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2116	hab.exe
2116	hab.exe
2696	hab.exe
2696	hab.exe
2760	remcos.exe
2760	remcos.exe
2608	remcos.exe
2608	remcos.exe
1044	hab.exe
1044	hab.exe
524	hab.exe
524	hab.exe
2844	remcos.exe
2844	remcos.exe
2912	remcos.exe
2912	remcos.exe
1708	hab.exe
1708	hab.exe
1028	hab.exe
1028	hab.exe
1944	remcos.exe
1944	remcos.exe
1060	remcos.exe
1060	remcos.exe
440	hab.exe
440	hab.exe
1320	hab.exe
1320	hab.exe
924	remcos.exe
924	remcos.exe
1852	remcos.exe
1852	remcos.exe
1724	hab.exe
1724	hab.exe
852	hab.exe
852	hab.exe
2084	remcos.exe
2084	remcos.exe
1680	hab.exe
1680	hab.exe
1972	hab.exe
1972	hab.exe
2796	remcos.exe
2796	remcos.exe
2892	remcos.exe
2892	remcos.exe
2620	hab.exe
2620	hab.exe
1984	hab.exe
1984	hab.exe
1884	remcos.exe
1884	remcos.exe
1632	remcos.exe
1632	remcos.exe
1092	hab.exe
1092	hab.exe
524	hab.exe
524	hab.exe
2964	remcos.exe
2964	remcos.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2116	hab.exe
2116	hab.exe
2696	hab.exe
2696	hab.exe
2760	remcos.exe
2760	remcos.exe
2608	remcos.exe
2608	remcos.exe
1044	hab.exe
1044	hab.exe
524	hab.exe
524	hab.exe
2844	remcos.exe
2844	remcos.exe
2912	remcos.exe
2912	remcos.exe
1708	hab.exe
1708	hab.exe
1028	hab.exe
1028	hab.exe
1944	remcos.exe
1944	remcos.exe
1060	remcos.exe
1060	remcos.exe
440	hab.exe
440	hab.exe
1320	hab.exe
1320	hab.exe
924	remcos.exe
924	remcos.exe
1852	remcos.exe
1852	remcos.exe
1724	hab.exe
1724	hab.exe
852	hab.exe
852	hab.exe
2084	remcos.exe
2084	remcos.exe
1680	hab.exe
1680	hab.exe
1972	hab.exe
1972	hab.exe
2796	remcos.exe
2796	remcos.exe
2892	remcos.exe
2892	remcos.exe
2620	hab.exe
2620	hab.exe
1984	hab.exe
1984	hab.exe
1884	remcos.exe
1884	remcos.exe
1632	remcos.exe
1632	remcos.exe
1092	hab.exe
1092	hab.exe
524	hab.exe
524	hab.exe
2964	remcos.exe
2964	remcos.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
2116	hab.exe
2696	hab.exe
2760	remcos.exe
2608	remcos.exe
1044	hab.exe
524	hab.exe
2844	remcos.exe
2912	remcos.exe
1708	hab.exe
1028	hab.exe
1944	remcos.exe
1060	remcos.exe
440	hab.exe
1320	hab.exe
924	remcos.exe
1852	remcos.exe
1724	hab.exe
852	hab.exe
2084	remcos.exe
1680	hab.exe
1972	hab.exe
2796	remcos.exe
2892	remcos.exe
2620	hab.exe
1984	hab.exe
1884	remcos.exe
1632	remcos.exe
1092	hab.exe
524	hab.exe
2964	remcos.exe
1676	remcos.exe
1452	hab.exe
2316	hab.exe
1812	remcos.exe
1372	remcos.exe
1644	hab.exe
1148	hab.exe
2168	remcos.exe
1120	remcos.exe
660	hab.exe
2552	hab.exe
1756	remcos.exe
2016	remcos.exe
2500	hab.exe
2416	hab.exe
2812	remcos.exe
2676	remcos.exe
2772	hab.exe
2996	hab.exe
2644	remcos.exe
2612	remcos.exe
980	hab.exe
2432	hab.exe
2908	remcos.exe
1364	remcos.exe
2680	hab.exe
3040	hab.exe
1040	remcos.exe
1496	remcos.exe
1060	hab.exe
1960	hab.exe
612	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2396	2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	30
PID 2380 wrote to memory of 2396	2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	30
PID 2380 wrote to memory of 2396	2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	30
PID 2380 wrote to memory of 2396	2380	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	30
PID 2396 wrote to memory of 2116	2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	31
PID 2396 wrote to memory of 2116	2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	31
PID 2396 wrote to memory of 2116	2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	31
PID 2396 wrote to memory of 2116	2396	f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe	31
PID 2116 wrote to memory of 2696	2116	hab.exe	32
PID 2116 wrote to memory of 2696	2116	hab.exe	32
PID 2116 wrote to memory of 2696	2116	hab.exe	32
PID 2116 wrote to memory of 2696	2116	hab.exe	32
PID 2696 wrote to memory of 1984	2696	hab.exe	33
PID 2696 wrote to memory of 1984	2696	hab.exe	33
PID 2696 wrote to memory of 1984	2696	hab.exe	33
PID 2696 wrote to memory of 1984	2696	hab.exe	33
PID 1984 wrote to memory of 2800	1984	WScript.exe	34
PID 1984 wrote to memory of 2800	1984	WScript.exe	34
PID 1984 wrote to memory of 2800	1984	WScript.exe	34
PID 1984 wrote to memory of 2800	1984	WScript.exe	34
PID 2800 wrote to memory of 2760	2800	cmd.exe	36
PID 2800 wrote to memory of 2760	2800	cmd.exe	36
PID 2800 wrote to memory of 2760	2800	cmd.exe	36
PID 2800 wrote to memory of 2760	2800	cmd.exe	36
PID 2760 wrote to memory of 2608	2760	remcos.exe	37
PID 2760 wrote to memory of 2608	2760	remcos.exe	37
PID 2760 wrote to memory of 2608	2760	remcos.exe	37
PID 2760 wrote to memory of 2608	2760	remcos.exe	37
PID 2608 wrote to memory of 1044	2608	remcos.exe	38
PID 2608 wrote to memory of 1044	2608	remcos.exe	38
PID 2608 wrote to memory of 1044	2608	remcos.exe	38
PID 2608 wrote to memory of 1044	2608	remcos.exe	38
PID 1044 wrote to memory of 524	1044	hab.exe	39
PID 1044 wrote to memory of 524	1044	hab.exe	39
PID 1044 wrote to memory of 524	1044	hab.exe	39
PID 1044 wrote to memory of 524	1044	hab.exe	39
PID 524 wrote to memory of 2932	524	hab.exe	40
PID 524 wrote to memory of 2932	524	hab.exe	40
PID 524 wrote to memory of 2932	524	hab.exe	40
PID 524 wrote to memory of 2932	524	hab.exe	40
PID 2932 wrote to memory of 2848	2932	WScript.exe	41
PID 2932 wrote to memory of 2848	2932	WScript.exe	41
PID 2932 wrote to memory of 2848	2932	WScript.exe	41
PID 2932 wrote to memory of 2848	2932	WScript.exe	41
PID 2848 wrote to memory of 2844	2848	cmd.exe	43
PID 2848 wrote to memory of 2844	2848	cmd.exe	43
PID 2848 wrote to memory of 2844	2848	cmd.exe	43
PID 2848 wrote to memory of 2844	2848	cmd.exe	43
PID 2844 wrote to memory of 2912	2844	remcos.exe	44
PID 2844 wrote to memory of 2912	2844	remcos.exe	44
PID 2844 wrote to memory of 2912	2844	remcos.exe	44
PID 2844 wrote to memory of 2912	2844	remcos.exe	44
PID 2912 wrote to memory of 1708	2912	remcos.exe	45
PID 2912 wrote to memory of 1708	2912	remcos.exe	45
PID 2912 wrote to memory of 1708	2912	remcos.exe	45
PID 2912 wrote to memory of 1708	2912	remcos.exe	45
PID 1708 wrote to memory of 1028	1708	hab.exe	46
PID 1708 wrote to memory of 1028	1708	hab.exe	46
PID 1708 wrote to memory of 1028	1708	hab.exe	46
PID 1708 wrote to memory of 1028	1708	hab.exe	46
PID 1028 wrote to memory of 1668	1028	hab.exe	47
PID 1028 wrote to memory of 1668	1028	hab.exe	47
PID 1028 wrote to memory of 1668	1028	hab.exe	47
PID 1028 wrote to memory of 1668	1028	hab.exe	47

C:\Users\Admin\AppData\Local\Temp\f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
"C:\Users\Admin\AppData\Local\Temp\f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe
  "C:\Users\Admin\AppData\Local\Temp\f191ebd7b3ec04f61c62489796c2e69c2d23b3f9d85a176da5deca50c48f7f75.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        18⤵
        Loads dropped DLL
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        24⤵
        Loads dropped DLL
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        29⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        30⤵
        Loads dropped DLL
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        31⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        35⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        36⤵
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        40⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        41⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        42⤵
        Loads dropped DLL
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        46⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        47⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        48⤵
        Loads dropped DLL
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        52⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        53⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        54⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        58⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        59⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        60⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        63⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        64⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        65⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        66⤵
        Loads dropped DLL
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        67⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        68⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        69⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        70⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        71⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        72⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        73⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        74⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        75⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        76⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        77⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        78⤵
        Loads dropped DLL
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        79⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        80⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        81⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        82⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        84⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        85⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        86⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        87⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        88⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        89⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        90⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        91⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        92⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        93⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        94⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        95⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        97⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        98⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        99⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        100⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        101⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        102⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        104⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        105⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        106⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        107⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        108⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        110⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        111⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        112⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        113⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        116⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        118⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        120⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        121⤵
        Suspicious use of SetThreadContext
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        122⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        123⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        124⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        125⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        126⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        127⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        128⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        129⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        130⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        131⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        132⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        133⤵
        Suspicious use of SetThreadContext
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        134⤵
        Drops file in Windows directory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        135⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        136⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        137⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        138⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        139⤵
        Suspicious use of SetThreadContext
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        140⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        141⤵
        Suspicious use of SetThreadContext
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        142⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        143⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        144⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        145⤵
        Suspicious use of SetThreadContext
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        146⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        147⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        148⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        149⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        150⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        151⤵
        Suspicious use of SetThreadContext
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        152⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        153⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        154⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        155⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        156⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        157⤵
        Suspicious use of SetThreadContext
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        158⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        159⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        160⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        162⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        163⤵
        Suspicious use of SetThreadContext
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        164⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        165⤵
        Suspicious use of SetThreadContext
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        166⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        168⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        169⤵
        Suspicious use of SetThreadContext
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        170⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        171⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        172⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        173⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        174⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        175⤵
        Suspicious use of SetThreadContext
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        176⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        177⤵
        Suspicious use of SetThreadContext
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        178⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        179⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        180⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        181⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        183⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        184⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        185⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        186⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        187⤵
        Suspicious use of SetThreadContext
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        188⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        189⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        190⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        191⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        192⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        193⤵
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        194⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        195⤵
        Adds Run key to start application
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        196⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        197⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        199⤵
        Drops file in Windows directory
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        200⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        201⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        202⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        203⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        204⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        205⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        206⤵
        Drops file in Windows directory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        207⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        208⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        209⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        210⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        211⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        212⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        213⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        214⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        215⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        216⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        217⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        218⤵
        Drops file in Windows directory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        219⤵
        Drops file in Windows directory
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        220⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        222⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        223⤵
        Drops file in Windows directory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        224⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        225⤵
        Drops file in Windows directory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        226⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        228⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        229⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        230⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        231⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        232⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        233⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        234⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        235⤵
        Drops file in Windows directory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        236⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        237⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        238⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        240⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        241⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        242⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        243⤵
        Adds Run key to start application
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        244⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        245⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        246⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        247⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        248⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        249⤵
        Adds Run key to start application
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        250⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        252⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        253⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        254⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        255⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        256⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        257⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        258⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        259⤵
        Drops file in Windows directory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        260⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        261⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        262⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        264⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        265⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        267⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        268⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        269⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        270⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        271⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        272⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        273⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        274⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        275⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        276⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        277⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        278⤵
        Drops file in Windows directory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        279⤵
        Adds Run key to start application
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        280⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        281⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        283⤵
        Drops file in Windows directory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        284⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        285⤵
        Adds Run key to start application
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        286⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        289⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        291⤵
        Adds Run key to start application
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        292⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        294⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        295⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        296⤵
        Drops file in Windows directory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        297⤵
        Drops file in Windows directory
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        298⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        300⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        301⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        302⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        303⤵
        Adds Run key to start application
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        304⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        305⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        306⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        307⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        308⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        309⤵
        Adds Run key to start application
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        310⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        312⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        313⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        314⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        315⤵
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        316⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        317⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        318⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        319⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        320⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        321⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        322⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        323⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        324⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        325⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        326⤵
        Drops file in Windows directory
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        327⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        328⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        330⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        331⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        332⤵
        Drops file in Windows directory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        333⤵
        Adds Run key to start application
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        334⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        336⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        338⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        339⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        340⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        342⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        343⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        344⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        345⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        346⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        347⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        348⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        350⤵
        Drops file in Windows directory
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        351⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        352⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        354⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        355⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        357⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        358⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        359⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        360⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        361⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        362⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        363⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        364⤵
        Modifies WinLogon for persistence
        Modifies WinLogon
        Drops file in Windows directory
        
        PID:1712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        365⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        367⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        368⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        369⤵
        Drops file in Windows directory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        370⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        371⤵
        
        PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
e94b5d321feb0d817002439c5a504391

SHA1
3c4c4ed7ec64f13a3ba8f9f6541220911017ca09

SHA256
fbbfade22b975bd056e138f705be01e77d03dbdddbe403cb2f77b5802a431343

SHA512
fea96e098c7bc80c5f4138b74711e9d56bcfbb3eb9afc9a996507c6a76c8f7cf09b071fb4403f239aab9b799670632db8aedb6740f9262cc7313dcf244a1f040

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7ce8b2a1c555bd022e546ef35dab2401

SHA1
fb72f5dbd9a66f8fe6d6b4fabcffa9a7e3e9373a

SHA256
342c76392f23031d04bc6cc33f43c1e382b597adddcc2e5c22ec22e671da298f

SHA512
7b287b0ab2df8a61d714b7a3851a8b69a2fd9ccc333759fdb4f6898bd89aa1e477cc9a707cbd86ffdbc0b346ab441136f74a85fbae3ea5b18a569252f990858d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
db9fb1cc384625c2deef0dbe8a7e730d

SHA1
97e1a8c1599171ca39bf36a0737c3fe2b2b8fe79

SHA256
832765761604ca29a3f003533c5b4e5ac80c1adb1015e3180dfc48f5a98c13c0

SHA512
b05f2f25701c518f3af63e4538fe960212a045b020d84bbadce78c265b7105bd3c7fbeb5f37b0471dc1c7525f6711d594230d801dbb346cacd941e0436a40a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a70499845b916599063a15429dd593e2

SHA1
3aa0a0bee7c7682bb16e87140a7f991a9b7f1a0b

SHA256
226f0252b819f7c3aa9585a2e334af7fc8161cc1dba10f4a825e9d560728e7d4

SHA512
dd865e137954369a2d33ba0a1fdfbaa7c85f635f3d66d0ea142e742c8266b68a06a244f6b9d237cb24030dfeb995937e76021f3247ab6f5afb1754cd4c6fa7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
57465c5f6713eb60021d49cf4f1f1b68

SHA1
9b8b3320225dfc96ad4c3217fb621d1b6a1898ce

SHA256
24146b9cfaab2583f374329f91dc817f964971707d3780bdb600024ba327e1f5

SHA512
1c0f7479531647787758406e173c1d13b7a2ca8e95ff0a2309240ce1469d898bac795d8674ac0f1d531bcf46bbcf85d9c0bc448bcd034f917fa76c6c1d74ba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a41031998528ed00cfde4d8b31c94458

SHA1
2820d547af0652503703a4bd9fb277e6af5e2b19

SHA256
87836e53e5d55d1bd504405d3d69a6cdbf0f88998bef21aad986f9b2f3581992

SHA512
8c311a09a29c3d2a8a67d8e441c4b6a30b28fd45b0307488b8d018f3a45f1ca486003ab15ae666b2da089a526e4dbdb591fe4dc51b836094b4eb6865d0384574

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
81612be030b049f8139068da1772df68

SHA1
d83142bdd66de493906b7c0f41d5bfdc1bf4e1e1

SHA256
4ac3f4870123cd0b9d2689ae5a25702047ab4c08b283049ee9046db6cb8425a6

SHA512
8179bae46f7b3d3bfbef8414fe1d46d0a54222138600a7f2fd16820f33a18d0e4a40720183c484f2117e01f56025ba5c6ae23fe83e2939bcacd496d5f0f0cd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d78dbff9a9366af55de90e91bf3af5c8

SHA1
8742964eea68e5c05d15f433769e132dbad1aeec

SHA256
7e111e21747efc2a197aa54324dbee24f66e0cf61bf57cadf134c524c59eae97

SHA512
394fb90a23534b14f3d828b47444022094730459d38c0e65a7470b39c14dbf906d979e19aa9575c748abc09e5deb2605a73320f5efc91e45318286b2c92cad39

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a41d463850fb28276ac1e503519bdc53

SHA1
7d6d6ce6b19564aab1147d62d76f68ca7fec567c

SHA256
8202f917f00a036deb173ec0268a561b6112ce2de9c8ef3395f7d86046e4aee0

SHA512
808449da014e613742f4e8cc20235af00b20fc0d7eca32c30d2646cf2d9caf13e60c8d9c2c3b25cd88d67ad9accef17d29979f2854880864752d899e655443d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d857588b942cfeb1e8518a83ca8c9988

SHA1
2b6820ad4ef36387dc6b5f9bec64de62e2daede9

SHA256
4088c66829c4ce73eef5b35cf4148ef3e25cfb986174f59eeb78481c1050dc72

SHA512
4b0e8cecb1ec17a26d5573e27b051028ea57c6ed37ffbbf7647d9bfca860538b0124f1ddac1ff1da047f74d7a2ed4254d647ce94f8ff51850ba1942cc2bc59de

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9910f8e15db3e73777744c0944beafdf

SHA1
414fa00990b76542f0edd2cf1d06df5f825145e6

SHA256
2a6ffe7adbb24a089063be15183b8966bf594d90915b8af15add99138ac37503

SHA512
4256ea87220d605e399465fa245343a8c5567046348e9012825910b54273d5e7316e309895665a77ba90266b56b65d068b8d786dead93315ebfef2685de37fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5696396787220aa613763ac9e893c42a

SHA1
f6a222f8d66cb42017112e2f8031a92e897c2928

SHA256
6c33fae64e837e76c92aa40483ddf09a9e2b42ab48cf73c26c265a3ee1ad6277

SHA512
3a640d367bdbb6c4efb00aa3babcd9a70ccfb8271d1e48d7e4b623dcd39a9cf18e42dcb06f0b63fb004438d4957708f22b8ac2d9e3335acbf03b41826bea5119

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d5ae9b3d114fc1477c6f3b4342de1754

SHA1
df4b2737fcad28bdaaec0137f38b8c1c602de5e0

SHA256
40c3f211d9cf47d89a56bc8ec524df4e11d7eb9e340b1033323e91c22b0e399c

SHA512
ef53abbe85cf7702f1050d746ef03473fcd30b646dd1a0c2ca4db8cbe183ef18c8ca671c6e1030ed59f2b0efeca1b3aadacde86eee924b6002f2f7a5c5afc8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ebc14804e5246fff78ae375e79c6ca3d

SHA1
7586e126d9c827b177eb5ed183c260e5dfffbb57

SHA256
eebe4580a2550714d34e4fecd3d75d2075dcbb837e862a1b231eb79760908997

SHA512
ef37ee9c6ad226dd2f5008042474a9ec13c6552a6e4089f425253439ad58e7bc77f396a2ef7b428acb1a82edcaee2310f62ee786a0f7183aa41e9cdd272581e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ca2c99b9b9d23d2b360f6ea27929bb13

SHA1
f1fc54df8af70f81ca38fdfee6b922e4c191f574

SHA256
434586fe8a4300629dae212bdd61834c0fb764abb9e08ec95a7ec7e6509481aa

SHA512
de7d586e3ae4c41d253131f79b816f5de1f7c82896cd76096a430f57aa44bb62dab87345b72afdc7e67e8278ad2ceb5a2305d3a9e6d5c2cd15c0fb931805dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f615527ae4ccabb28d9fbd44224c05ca

SHA1
854fb26e220e412d24c2790d64d689a66e6ba07f

SHA256
aab6fd0918fd6eca3e71443125c37fc3d80c6ea4e4dc629c2c73d2cba2374620

SHA512
0294c2451d9fe051a1a2b42284a93034d9faddbf510db4afd8f94225c944ac9c75424ccfb80f536b5ee70909857469fb77d1165fc1f1262ad6eb3d0ad7e1d6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5dbad2a6139166da52ec090bb9a511f9

SHA1
4451a4bf276c4d50006b6aeb972a93cf96b9961d

SHA256
5fd11248fa473c9fd33e017a360ee0f3e2e342326a82685377ddff415e3fd048

SHA512
9003e424de5f099831d16415e97c0c1ef97fad3705e7b91cd480ecc69a428439a2c31e50427cd89424adf12d7885954e2f8ef739d48fa198247002b6d119376a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
4a8a754472bfdd2939a81ac5d48a4f92

SHA1
2fb6f27ae4ce0af96d50fb6e859d54d06293da34

SHA256
b29f85bddb7a33932d36776961effcf2893778e57bae1de9fff3be4133f56d97

SHA512
4aa067ec49c2c2f8a0101b9435976c3fc82016caf65c78319aa4e998082805f4c11a5d9d272f968ab0d96eb18c7e7eca9e0fa160104a3d135617b38a54411f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
39ebe10fc459b6763cfa1390b419045c

SHA1
8828f412b07ba14ccb31570e118c706329be586e

SHA256
86a3529e70636d943961ea39ff18de70a9b950d8b42d05948d5ccb9eb1db86aa

SHA512
9ce492c8a4e82e37520294b8a2b70bf1f5cd05e5be63dd381302fced0289ba2c46d1152bf1baf138e8ffb1b00d31d942bf6f063474cd9fdb990bf2455aa09308

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5116c0d815edc00ff81ef97f9df97305

SHA1
549369208a9a5c66cd1da792be26297b108768a6

SHA256
ef9abd08c77734e22bee1b28bd440caeedca65b1ee63020bd0d9ca1894746ee1

SHA512
35f0acc4e8863c8723a987ec8fe63651948dd3ee3f8562bf574188c041a39db5597c5d12e573f23695fab9f16f679fbe0c30c510e23148c01d831ea49a0ca6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
c8f3c0b7b5818881898513077292ff76

SHA1
549b0758fb3540ed6528c776ef6c59fda1253059

SHA256
977352f8952d97699c14e19deb06d42917da4fdcd2bfc7e7432f68d50a6a73fc

SHA512
007e440c19592cab32b7b8e631f1401cbd5e523c3619910b74cdf19ddc0c3c47919178fc7efde42809290d805db1465c459e54f8324f1d07580a7d1b0876b96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0ef68bb94770dbd6da148bd26569f301

SHA1
48e40483a9e39d4a4372f0fd991d2f5e1ae4c0a3

SHA256
508feeae9f4e15c9cdbc51b6c6818d61f0daa9e99dbf31b00f41a856f9de22ec

SHA512
7f491ff5e3464382393597b3ed4424081d0ae4521d12cceab0a02e4986ab4b64da93ce5b4b7b15466628265d7457bddb597a7de1ee167fdb8a6725a856827b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d8bc11149b124c15245363ae7aebd461

SHA1
2fb701b5468c181983c9a1c1a2b46da68e28243c

SHA256
fa042dc6f178f0f1eac7998f5c95a5c72c706db510a82d0709ad11c1b78d2715

SHA512
8edbe8168c335a1e7bc4b40caf85bc730110518b5496c5253a57dcf7f4180bd2bcab5dad2a044b0253c638cae9eaa7b36810aec8928e872de3624d5dd2f34253

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
890a57f77d37d598003b979f331b00c4

SHA1
b904af8f4a3e96e227bcf6a3ddf24096f7a2e98a

SHA256
4e03eadbeb6a859f4117b6823950d444cda6309224c4716580ff082f59420fa0

SHA512
18be4cef4d19d644ab135a0dac6419c75faccb214a99d00c1c1b6055500d8714c043f413e8897be8030280ec4b99690362b00733db79c6aecd8bd02ba324215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
00a47a2aaf9358b297c945be76a3da1e

SHA1
671e734a63e92e0fb0e907d2711f7d046909a5d9

SHA256
3181da637ddc3f3931825e53c06ef185d77f9c68c5f09afbed7f20e7841da2c2

SHA512
3db228ed2218063c4abf4ebd8247cacff421e5b48224795e0bb83de4b4e7e398e5d540784e8b3b6653b488db86fe9a66237ad4d3e0bfa4bd96c9643336d3acff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
86ee2b481c095ed5ecf919b5413ed694

SHA1
77dbeb6c664308d0c49fbacbf6694976eef57eb8

SHA256
6e496b2708f25bc2861be156d93eaebac31c7d70e4a5f9c51f2d1a87fb9812b5

SHA512
4453e480f39e3c89b001f8f5b86f4c68103733d2ead230b85226400bedf72213faf3b2f765090e8e0d0c4355c88c9c5ada3bb575bd608ef6af63f1bf7b287c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
61aa8bddccc52ddd71e2eb3729299c35

SHA1
5cfbb9d16bcb72469f28ee75ebcf691927bcd7ef

SHA256
af48502cbb837a3b69b586ee6743427c2a3d86d4db3f18630529ca285b053a20

SHA512
75cb77a838256e0cbdae31782487daf213a749f968f949e58734cb7273e022ea44cdad0e9de616bbd996cd6355757a75a1bb31e53a226a7426cfc1aa9b92734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2125b19ad2bcf801c503d0a88c74e2b6

SHA1
dbf0c5fc553c1086eb676d71344d3eb10836260f

SHA256
f75376d23de7bd02a1b6d7c7e6c8f6f6683d7db852ea0c0e64ac3f4f697bb042

SHA512
f4a551b21d534bb6f702162ee790d8d3f2b6031daf7bce31a2a64bfbfad67d025d7b2af1cc6b201a65e3c2413c221f7c32540609d6594eaf596d1d8603daae5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9704d5a7ff8235e0f4199824ba5b6524

SHA1
e5eb5a2771ea227ebc7d89ff86c6b50e1a2dca4d

SHA256
2db8ce05c6f33715bc14de048365c63e7c91b32fd5d4ede6bf785299ca5b1966

SHA512
5984ec0eaf7f96937a3f2a041e01a4997483d6229dec3f47dee94b841ca441e82b6233c6c980ac33d1fb6970cfd1ae0f7b0f693b5b6bad584ac63f1a7fce76a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
2a244ea26282b119708218b677516e4e

SHA1
f6fa38ab4c9cc7a430eede41759638445830a552

SHA256
0728e5a7b7bd07a45b720f8c3d8ceaf08b20f74c33fc20b40a445e089c10ca91

SHA512
abeeeb65a884ed4260aec80632c6d10e36c458ef36802ad1944cbbd15ad55eae254494040cc54b21ebbcdc97ab4031656d13c6a6dfac157876d8f9bcb3c614ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
85fae0ed8a615f13c7f6ab5377d60fb2

SHA1
7fa763e252da3ce6ad03e81bb10687413e4e4d76

SHA256
4dfc963f0ce2697407ec57214dbcf936bc0bb409442e3d641e8aa44972b41cd5

SHA512
62e8e3f4afc3b3224aa28daa0517fd2ec0bb2ae4729fae8d18097e3355c392da8f811f5b9a9ed5fe101c59d6fd8c1bdd623eab6a004890622f69641e906991b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
dad4f51e11f31e611c24a445e186137c

SHA1
9f276326fb96624470edce0d37f13f83f37aaf77

SHA256
6d8f01db1f06ec56530f3d9552f87fb960516db7c30244b294e8ab094922a628

SHA512
b28a9e7d851ba8ad5c0953e2c214604d7f1536000c125a5f4d33b96388940fd958dc96d7435e88440902ab20d01f682c4643727e55da90bca291407395546455

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ba23323aea188809a0c5f044b950e078

SHA1
c9519a287b1a9960fdc7c8eba5603e8ce5869873

SHA256
77c0e17ce225e8c5206f90973a05671ddffeaf33b5b1e8b3f8d66d7f17b8f805

SHA512
d1aa9d6adb2bb8d3c158605e9d06ceedcb453816026938370b7c3d3d936489c0d49766e1a55125a08e9bb68b2f2cb72f0e87e21523f009c77b689a7147aed6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
db2557a24686caf44a97e179cff3864e

SHA1
2b345d7a11f27d5645d3e10fb5586d8ca022862d

SHA256
4f7284cf867cd81e94158818c0add4bb433a40a9ee42fbc6baa39ed1fe11db3f

SHA512
8ea7ec68954620c2a9fd49d1e05c3e3ad9f7185c7422b2079faba86eeee97ae9d5f709a1bc2452543ebc7a34281121b76141da7e8f5af3d2ed662d783f6691f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ed487c25ce56c1b2f10fff4cf6d7f8b3

SHA1
26e06ea9f27f2ab1eb64d4a41e3382fc27fc18ea

SHA256
32fb5e3ca86af2acb3bf6a50c11f066ff07acef4a07ebfa13ccc1e46c801c232

SHA512
46b5af066254e0e369ee3c7b56c3e3b49571ead7bd27c3be4cef445fb315432a7d4a1d2aff08e3899c7010be94646c7905845a1b9a407e0056507ed20197bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
c971f3192e12b47c9a3a7a6d8d1be1f0

SHA1
c95d16698ac9d33085d66bec710e5b8c73451ea0

SHA256
a618db23475fd40e82c33374775323489c9a0d63222f074745dd1e9c68b07830

SHA512
62b0b157a7a7a3c718e6ebb51d238c0e53a238394460889252eedf6aa13ccd1832764de868dc8a14881697c1404b7ee98efd99f33e6479a0a1d8d42478778445

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7ca978b4b8392541fb3687d5c3abeee2

SHA1
ac444017db93e7b6651126e20edcfedb84e2ee92

SHA256
9f0a4db8fde57d481ad4a6665cc39ffb6789640ad0d501c712aaaf23a47494f5

SHA512
483e4992bb85bea8ff22ab6be9a074d5ef98704198d4169d51cf0f33bccc2359b223762e3c3ffbb3b1c0c18db8e859ee47ab1fbed9aed4454b95d2de8c761e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9d3dd8eddae1089b4e92c1d639024be0

SHA1
4bf948c915c18c8e551952caf9851f609f58a950

SHA256
283e2c26d42fe80e948b48b80f7b703ea49b6f9978f914b0d1d3e33695cabce8

SHA512
ecf7bd94de99c72c86767b26d57827693d151d13b8167b130ed88cb5ec4553261b4571d596de587cfb8b99866e70f8288aedbf658f8a6867d6fa0811a20ff5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
f66d1affb2d21a5bf610ef0179c7f8bb

SHA1
2a0086de5a4c2e21d500417687109fa15effc0bf

SHA256
08ecbf769d6128173a7e98df795120945f9f11c525d3fc6315f8e40b4096b161

SHA512
4bebd4456711529a37076c82402ac3d0ce8f1de7b569f6a9208127f2ef55076e988739c5c178225e850a12823c1108f38ce87b53b8681ec8dbab5ec7e1696698

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8d198b16b3e15827f40c37ee081a1984

SHA1
6ba58e926cd41a7ead5a8a2d51fcf4481210b9e0

SHA256
633da07dc63a761826d8fec2d5e9c6fd100443d03325ab4653b3b326040e772d

SHA512
704ef6f14c3ede41d95db7838d292f1112f5f7e24adb38ae50e2406d0101881bc3e03ffe8467280525346d13a8e554b2a7327f393a59494adebc715a49197ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ea833ca27b2758aacf9fa2d19e3a98e7

SHA1
2a0a275c748b0f7ead48c81480c13fe3c1448d62

SHA256
90c9f8db694359d76976445efd7da1f81d7b311adfce7fee05e3b5deb9f7146c

SHA512
ab9a17b43632233d8ba6681bc89bfb2000b0c5e4b0004fea1c153676308a21f56d3bb5b10d1bd5389944a01a09faa0bbe040afb48b3540a9ff1ac7044c1d7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
0ec4e5056dc4ecca90b9041cac94f429

SHA1
795ebdbf28909d2a4d742d7c86c96aa34e8d99d0

SHA256
ed423834d7975e2dcf0e45e897d52589b8eb7dd0f02a6d2ec40c78cf90434002

SHA512
fd1a8782e625fdd09b2da4c7587ffe78ec1bc0c331f0fd5010f86df9dd34b3d55059036359850de75ba8285ee5c28758c4a369d1643047a9a821cb9814c8502a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7104ee8f9b3dcb901eb3f8c4bf46da50

SHA1
a07f333295362be1d19cb71d610a5201a68ec1fd

SHA256
5f462ccaf4dfb912ba5095c6198dc15f429e0833bea6f8378440d268c56835c6

SHA512
427a9d974b5e9e09773b7b6a834d33a59679c57c722380be83612b1b73f03a8b3cc20d73dd6a79dabf6b59bc723076419574ba100cd4395b96ac5c8e9b8230d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
16c5985a56b3ddfd5dc39a201181efd8

SHA1
39bcf7c09a08e6e00e5e6fdb998c8b67e8d50eb5

SHA256
3c537f8359564bf09a4d340a7c53d9db53013f71c823b1a419cf9ee07ef59637

SHA512
70003eb8c38e69e81e1b2d9d5134826f3607bfa0be6c46aaa3e054e90e58c0e971b6f7a847929644c65ed6a4eb08595fc80938fa4bb271bc682b30bd48e4da16

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
de6faf295735df9d786cb549c5eda289

SHA1
741057701e9f1c8ababaf01d13aba7dc5bb8a10b

SHA256
606d11dd7df65be0801423a812b0851072b0a29f933aca78f0a8891baeaf0c3f

SHA512
6b28feba9c491c84c1336bce71bdf59a3455555deef08d189e8d8f4029972698bcd9c840dc3a877d932f51601ace88c077643d29d5e92c03022aa4d80d997936

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
93c3fbee157996c1c20bd8b6695d0f38

SHA1
040fe0a38f30b3febbc190f00cac1ee6447f79bf

SHA256
d0091897557008eeaad0a000aed2549efd504c8df32745e2ed56b02ac80741a8

SHA512
8dc06152852fdcda9ad3d78f4d75d43e8ac0fabf14055c67754aa6cec29b386c82f497926df5aa55d87e6f22b9fb4e9c154c5b0ab8673061f38c3f7795996c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d486fcd032c6afa446c3463245b9cbee

SHA1
8c8a7bda23c2e2f17312398532d252215c94cbdf

SHA256
68c0e87341cbaf1f73b06e8e2fb47753511fefe395b3d107bc3f2d3191f72cd1

SHA512
d3f4a24f01d029bb2d60fbb12d53d84653587e2ae765ab95c2b77c056d0009f85f7dd2eb9beb019645ce8589336c7d3e3607b2148799943f3a6706788678eb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
a990f40fdac6e012869489572011fc92

SHA1
eb1278ee50be812f38cb3a1e5eb08b95a047a490

SHA256
485eb6b0d05eefa6cd55ee1cd26b242f0b2a7dd51a1cc0efc82e0106562cc27a

SHA512
12d582f38dcacf3c201c09bcf9fd72f12ba1f4412f885332506f087beb719cd7b7bd13c57dfb7fe9df33972da3a563c9fa94b2e0b709212a40658437f7131ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3fbeac199b42de6a22416027bffe0397

SHA1
a3837a1060f387f9df1075793a6f7324158e3feb

SHA256
c81995fd5d2bb5755e48bd45511da35369a2f9478924e2de7f31dd6e4a219f40

SHA512
e06819fc7f23c5c191745f3256e2b8114b019f38079787f65c64c55213c8e243da75b9c170fdea6236bbff2b5847ed9a97a164fd0b83f865fa126bcb7a50bca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
8872707089928d0dda59143b5e1f1ea9

SHA1
35b7d1fff4564633533d08820f55954596eafc04

SHA256
11eaee506adf458cbba05b72dd8738bb6b28993709a04498938fb14d463fbc9c

SHA512
d1f3ecf7e57e9029972340d79613b4fc5397581d0c00d274598a9a9b33d6f743e96747ae8f3feeafa0020effd3148863b0910915de854ea3be149bfcbd2a47b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5e4849765ce7aea47f4b1aa694bb5398

SHA1
3fbdaa650f4c170badc000c225cf15f97d39f882

SHA256
7e7ed3cc85c10e08020a60fe6ddaeb383e86cc3aeb63ac1d04c47be133538458

SHA512
3ed627a8c5a050e1180710224913648b531d3d2cfa87ab7adb1c3f694126059fe4eacc35c4503c06a9b402b5864f472f5d2960deed4d2d0c7850a4c8a0d3c1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7776fc09b9636faeb6c1dfd554f06247

SHA1
0ee245fbb440fce8761e05fc1abe6ca3509b139c

SHA256
5f183cc3594178d46711078b6bcb497284e795aa4640f18bf378420b2947d09b

SHA512
14815e3f12757a58f88e05b50eb7a5ca80856f775fae80b3537934230d7626f69d4cd753c705d27c888c9b1ac5ff95bcf009c3a266770bf4f90773fd98d2f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
57e4e89c43d00a612ba55d59b0de12fb

SHA1
8eb6941c715cac0653f87d4ce05cd935c782c76b

SHA256
7f0fc1f82b0859b35a863445ffbc7aeb5cd269b0f89df258f017ed2e241b5951

SHA512
b2570bd5302e1a076a8fe40066b8ae4ad335a8051380ca49b30d4947bc26b62c05e8adf6977c076f6c42989456327bc5c8ab96dcbc3967112e783667d56b95ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
46f2d54d4426084e67cbca425aaee39b

SHA1
e512ad0df4063236e116bc3f0ba91d9008110b26

SHA256
4768fd5c0b238468579c50d486b30562962296db08afb2e5c3a2561cd95869ef

SHA512
06c95e9d3318a0a3a11d02613645c37e8557490b66a23bc253bba46fbb947b3682b7a2c636bd2ea264ec943bf941b27d0bb9f55d7c3ae1baf5d9f7a20682d246

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
230334859e728a251ab788254949d795

SHA1
42855e6ba6b5d67d5a768474cb6671fcc5629760

SHA256
45f91124c63874e998009c7a15ff950d1169c4afc7344bac72dc3041e809ab27

SHA512
42b58a986b1867e14bedb5916cb9cc213213bc00d321c916ed2c534b56a284a54ce29b5224e9784381ac5893aa72c7992acd6267b0a4928c61fe923d47a2b202

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d7c63eb82695156f9eaa29d2c177154d

SHA1
8fa7eb17d936d121776ec0e7ed8bbc33b89a85d2

SHA256
59070068f277c9106710eb5d6e2ff43e5e73ec706917ce58362f41b3180bf2c2

SHA512
6c75b642a2c95562af18d50e2bb73d8e8929f8ea8c65f1aa8beee2dd4454168a6854e4a942cb086bf75dce8d1eefd1c42b85944295fbdf99c29e62d805c4f19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d50dd925586c2969491f44c409a55b42

SHA1
037b47b5158bb9885419ad3718d2a1eb99751bc1

SHA256
f715729571fac27a5cf0c602ae3f19a5f3364e439f451fdaf0adc326a890a77b

SHA512
d20ce246a832101509c14e737203829bba3a3b28dc2dfbcfeb465aa72b4e688af8cd08669df9588d5414a053bb9126938f8745e6270763b52db0b81d1d7a9498

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
b616e07b62f1fb36c9e76ab9f86d6d01

SHA1
bf889bdb3053abd92b088931eb72155f8705f620

SHA256
773f931f685ab38c4187fe4d9a3dfb51f192bd47e903a97806a5451162026fe2

SHA512
466a3d703cf0ec132c2b7a67df556501dbd281165baa813839d4cc69f12296305279b7ee00113cefa9f33c603c08b80916b2c81bc210d78e7c07629ba81ff468

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3d1795b5dfe180fffdd171d02e10ed19

SHA1
53be630dfde93f618ad5f994486f1f186db3ffd7

SHA256
b47bfdf91250b4eff0c860ec89be189811a5b141243396478486797475ad096c

SHA512
1f57226b206b526ad52bbbdb81d9c3a9e6114789ab87ac71bad44403699dab552e74fda14fa414eb1d54d835e8ff202a6cba5671d10654dc1650ac372f00c3c4

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
576fadea7eca539fe16d06a38c1e65c4

SHA1
23053d8274d3e51d2043c55c9b48b21125e6364e

SHA256
448b1b206428a64ae046545243fd4347f427afa922c29f5400f0a7e02710a60a

SHA512
f2d6612060be2d1a6ddd410e742fc373b71a9ced3bb0751918c5b7ddc853ed58ac26f64834af7de97a6ce8b2d5bc7db2d0429d73b410990b6e6261d62a62f82f

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
397202c59af0bc014c4b750191da0c5a

SHA1
6e00f0a144a9d84269ab8e69febf2f7b28c77221

SHA256
f599d54e03d30d9f3f2d0da2e5b55d86080b99b2d4ccd61727fcd16d2dc90772

SHA512
ee020710d9a72fe1dc694772abd8bbb991d4dc9c42450993584dd9f3072e0cad39f09fb24943885b0c28a7400073ac72251320c0793aedd95e3eb934d7a01e6f

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ae38fc249e58794690290f5b8200f5a3

SHA1
b15e9b364effaf91b405faad49a2f9d17ef9ad11

SHA256
32ff0bdd6daab99227740a763ca1487cb506f9443fefeab5b7d41756f86da49a

SHA512
e3805368233e72a81247d13ec44c7122357b05961026defc45c980a7bba735e93413485c06f219ac59913e8c86ed5a1860d0a918b1ede8a2807f4380a30ca347

Download Submit
memory/524-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/524-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/524-79-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/524-279-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/524-277-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/524-285-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/852-197-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/852-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/852-199-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/1028-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1028-122-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/1028-128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-331-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-339-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-333-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download
memory/1320-165-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/1320-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1320-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1972-231-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1972-223-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1972-225-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1984-250-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-258-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2316-304-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2316-312-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2380-14-0x0000000077070000-0x0000000077146000-memory.dmp

Filesize
856KB

Download
memory/2380-4-0x0000000076E81000-0x0000000076F82000-memory.dmp

Filesize
1.0MB

Download
memory/2380-2-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2380-5-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/2380-12-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2396-13-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/2416-385-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2416-393-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-366-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-360-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/2552-358-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2696-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2696-36-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/2696-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2996-414-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/2996-412-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads