remcos | b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593

Analysis

max time kernel
43s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
Size

372KB
MD5

f2468b644e4884058e106a27311aa52b
SHA1

d4444414a806d49810512f06fbbd2e5d506e3051
SHA256

b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593
SHA512

6a66b2ac286ed27f6f623aefd1a8f4fff709ca26b435a730cf82f1bd6b030dae76fbcb9ec37cf0f44cdf21fffc74fa02a1d0f743c7126d4dfada2fa7a11f7bd6
SSDEEP

6144:tQdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiaq:tqqQx+H2i+8LBNbdypazCXYk

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 52 IoCs

pid	Process
2920	hab.exe
2964	hab.exe
2728	remcos.exe
1120	remcos.exe
2148	hab.exe
1468	hab.exe
2988	remcos.exe
1960	remcos.exe
688	hab.exe
320	hab.exe
2340	remcos.exe
2104	remcos.exe
1020	hab.exe
1376	hab.exe
2028	remcos.exe
2112	remcos.exe
1776	hab.exe
1408	hab.exe
2824	remcos.exe
2924	remcos.exe
2800	hab.exe
2764	hab.exe
2672	remcos.exe
1548	remcos.exe
2908	hab.exe
3024	hab.exe
1784	remcos.exe
3008	remcos.exe
2224	hab.exe
2196	hab.exe
2496	remcos.exe
2276	remcos.exe
1916	hab.exe
1956	hab.exe
940	remcos.exe
2136	remcos.exe
824	hab.exe
1736	hab.exe
2028	remcos.exe
2564	remcos.exe
2316	hab.exe
1776	hab.exe
2780	remcos.exe
2080	remcos.exe
2924	hab.exe
2920	hab.exe
2424	remcos.exe
2732	remcos.exe
1548	hab.exe
1788	hab.exe
2364	remcos.exe
3016	remcos.exe

Loads dropped DLL 64 IoCs

pid	Process
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2920	hab.exe
2588	cmd.exe
2588	cmd.exe
1120	remcos.exe
1120	remcos.exe
2148	hab.exe
2372	cmd.exe
2372	cmd.exe
1960	remcos.exe
1960	remcos.exe
688	hab.exe
2116	cmd.exe
2116	cmd.exe
2104	remcos.exe
2104	remcos.exe
1020	hab.exe
1308	cmd.exe
1308	cmd.exe
2112	remcos.exe
2112	remcos.exe
1776	hab.exe
1528	cmd.exe
1528	cmd.exe
2924	remcos.exe
2924	remcos.exe
2800	hab.exe
2740	cmd.exe
2740	cmd.exe
1548	remcos.exe
1548	remcos.exe
2908	hab.exe
1560	cmd.exe
1560	cmd.exe
3008	remcos.exe
3008	remcos.exe
2224	hab.exe
2420	cmd.exe
2420	cmd.exe
2276	remcos.exe
2276	remcos.exe
1916	hab.exe
908	cmd.exe
908	cmd.exe
2136	remcos.exe
2136	remcos.exe
824	hab.exe
540	cmd.exe
540	cmd.exe
2564	remcos.exe
2564	remcos.exe
2316	hab.exe
2860	cmd.exe
2860	cmd.exe
2080	remcos.exe
2080	remcos.exe
2924	hab.exe
2888	cmd.exe
2888	cmd.exe
2732	remcos.exe
2732	remcos.exe
1548	hab.exe
2356	cmd.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe

Modifies WinLogon 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 2784	1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	30
PID 2920 set thread context of 2964	2920	hab.exe	32
PID 2728 set thread context of 1120	2728	remcos.exe	37
PID 2148 set thread context of 1468	2148	hab.exe	39
PID 2988 set thread context of 1960	2988	remcos.exe	44
PID 688 set thread context of 320	688	hab.exe	46
PID 2340 set thread context of 2104	2340	remcos.exe	51
PID 1020 set thread context of 1376	1020	hab.exe	53
PID 2028 set thread context of 2112	2028	remcos.exe	58
PID 1776 set thread context of 1408	1776	hab.exe	60
PID 2824 set thread context of 2924	2824	remcos.exe	65
PID 2800 set thread context of 2764	2800	hab.exe	67
PID 2672 set thread context of 1548	2672	remcos.exe	72
PID 2908 set thread context of 3024	2908	hab.exe	74
PID 1784 set thread context of 3008	1784	remcos.exe	79
PID 2224 set thread context of 2196	2224	hab.exe	81
PID 2496 set thread context of 2276	2496	remcos.exe	86
PID 1916 set thread context of 1956	1916	hab.exe	88
PID 940 set thread context of 2136	940	remcos.exe	93
PID 824 set thread context of 1736	824	hab.exe	95
PID 2028 set thread context of 2564	2028	remcos.exe	100
PID 2316 set thread context of 1776	2316	hab.exe	102
PID 2780 set thread context of 2080	2780	remcos.exe	107
PID 2924 set thread context of 2920	2924	hab.exe	109
PID 2424 set thread context of 2732	2424	remcos.exe	114
PID 1548 set thread context of 1788	1548	hab.exe	116
PID 2364 set thread context of 3016	2364	remcos.exe	121

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2920	hab.exe
2920	hab.exe
2964	hab.exe
2964	hab.exe
2728	remcos.exe
2728	remcos.exe
1120	remcos.exe
1120	remcos.exe
2148	hab.exe
2148	hab.exe
1468	hab.exe
1468	hab.exe
2988	remcos.exe
2988	remcos.exe
1960	remcos.exe
1960	remcos.exe
688	hab.exe
688	hab.exe
320	hab.exe
320	hab.exe
2340	remcos.exe
2340	remcos.exe
2104	remcos.exe
2104	remcos.exe
1020	hab.exe
1020	hab.exe
1376	hab.exe
1376	hab.exe
2028	remcos.exe
2028	remcos.exe
2112	remcos.exe
2112	remcos.exe
1776	hab.exe
1776	hab.exe
1408	hab.exe
1408	hab.exe
2824	remcos.exe
2824	remcos.exe
2924	remcos.exe
2924	remcos.exe
2800	hab.exe
2800	hab.exe
2764	hab.exe
2764	hab.exe
2672	remcos.exe
2672	remcos.exe
1548	remcos.exe
1548	remcos.exe
2908	hab.exe
2908	hab.exe
3024	hab.exe
3024	hab.exe
1784	remcos.exe
1784	remcos.exe
3008	remcos.exe
3008	remcos.exe
2224	hab.exe
2224	hab.exe
2196	hab.exe
2196	hab.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2920	hab.exe
2920	hab.exe
2964	hab.exe
2964	hab.exe
2728	remcos.exe
2728	remcos.exe
1120	remcos.exe
1120	remcos.exe
2148	hab.exe
2148	hab.exe
1468	hab.exe
1468	hab.exe
2988	remcos.exe
2988	remcos.exe
1960	remcos.exe
1960	remcos.exe
688	hab.exe
688	hab.exe
320	hab.exe
320	hab.exe
2340	remcos.exe
2340	remcos.exe
2104	remcos.exe
2104	remcos.exe
1020	hab.exe
1020	hab.exe
1376	hab.exe
1376	hab.exe
2028	remcos.exe
2028	remcos.exe
2112	remcos.exe
2112	remcos.exe
1776	hab.exe
1776	hab.exe
1408	hab.exe
1408	hab.exe
2824	remcos.exe
2824	remcos.exe
2924	remcos.exe
2924	remcos.exe
2800	hab.exe
2800	hab.exe
2764	hab.exe
2764	hab.exe
2672	remcos.exe
2672	remcos.exe
1548	remcos.exe
1548	remcos.exe
2908	hab.exe
2908	hab.exe
3024	hab.exe
3024	hab.exe
1784	remcos.exe
1784	remcos.exe
3008	remcos.exe
3008	remcos.exe
2224	hab.exe
2224	hab.exe
2196	hab.exe
2196	hab.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
2920	hab.exe
2964	hab.exe
2728	remcos.exe
1120	remcos.exe
2148	hab.exe
1468	hab.exe
2988	remcos.exe
1960	remcos.exe
688	hab.exe
320	hab.exe
2340	remcos.exe
2104	remcos.exe
1020	hab.exe
1376	hab.exe
2028	remcos.exe
2112	remcos.exe
1776	hab.exe
1408	hab.exe
2824	remcos.exe
2924	remcos.exe
2800	hab.exe
2764	hab.exe
2672	remcos.exe
1548	remcos.exe
2908	hab.exe
3024	hab.exe
1784	remcos.exe
3008	remcos.exe
2224	hab.exe
2196	hab.exe
2496	remcos.exe
2276	remcos.exe
1916	hab.exe
1956	hab.exe
940	remcos.exe
2136	remcos.exe
824	hab.exe
1736	hab.exe
2028	remcos.exe
2564	remcos.exe
2316	hab.exe
1776	hab.exe
2780	remcos.exe
2080	remcos.exe
2924	hab.exe
2920	hab.exe
2424	remcos.exe
2732	remcos.exe
1548	hab.exe
1788	hab.exe
2364	remcos.exe
3016	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2784	1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	30
PID 1612 wrote to memory of 2784	1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	30
PID 1612 wrote to memory of 2784	1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	30
PID 1612 wrote to memory of 2784	1612	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	30
PID 2784 wrote to memory of 2920	2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	31
PID 2784 wrote to memory of 2920	2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	31
PID 2784 wrote to memory of 2920	2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	31
PID 2784 wrote to memory of 2920	2784	b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe	31
PID 2920 wrote to memory of 2964	2920	hab.exe	32
PID 2920 wrote to memory of 2964	2920	hab.exe	32
PID 2920 wrote to memory of 2964	2920	hab.exe	32
PID 2920 wrote to memory of 2964	2920	hab.exe	32
PID 2964 wrote to memory of 1016	2964	hab.exe	33
PID 2964 wrote to memory of 1016	2964	hab.exe	33
PID 2964 wrote to memory of 1016	2964	hab.exe	33
PID 2964 wrote to memory of 1016	2964	hab.exe	33
PID 1016 wrote to memory of 2588	1016	WScript.exe	34
PID 1016 wrote to memory of 2588	1016	WScript.exe	34
PID 1016 wrote to memory of 2588	1016	WScript.exe	34
PID 1016 wrote to memory of 2588	1016	WScript.exe	34
PID 2588 wrote to memory of 2728	2588	cmd.exe	36
PID 2588 wrote to memory of 2728	2588	cmd.exe	36
PID 2588 wrote to memory of 2728	2588	cmd.exe	36
PID 2588 wrote to memory of 2728	2588	cmd.exe	36
PID 2728 wrote to memory of 1120	2728	remcos.exe	37
PID 2728 wrote to memory of 1120	2728	remcos.exe	37
PID 2728 wrote to memory of 1120	2728	remcos.exe	37
PID 2728 wrote to memory of 1120	2728	remcos.exe	37
PID 1120 wrote to memory of 2148	1120	remcos.exe	38
PID 1120 wrote to memory of 2148	1120	remcos.exe	38
PID 1120 wrote to memory of 2148	1120	remcos.exe	38
PID 1120 wrote to memory of 2148	1120	remcos.exe	38
PID 2148 wrote to memory of 1468	2148	hab.exe	39
PID 2148 wrote to memory of 1468	2148	hab.exe	39
PID 2148 wrote to memory of 1468	2148	hab.exe	39
PID 2148 wrote to memory of 1468	2148	hab.exe	39
PID 1468 wrote to memory of 2984	1468	hab.exe	40
PID 1468 wrote to memory of 2984	1468	hab.exe	40
PID 1468 wrote to memory of 2984	1468	hab.exe	40
PID 1468 wrote to memory of 2984	1468	hab.exe	40
PID 2984 wrote to memory of 2372	2984	WScript.exe	41
PID 2984 wrote to memory of 2372	2984	WScript.exe	41
PID 2984 wrote to memory of 2372	2984	WScript.exe	41
PID 2984 wrote to memory of 2372	2984	WScript.exe	41
PID 2372 wrote to memory of 2988	2372	cmd.exe	43
PID 2372 wrote to memory of 2988	2372	cmd.exe	43
PID 2372 wrote to memory of 2988	2372	cmd.exe	43
PID 2372 wrote to memory of 2988	2372	cmd.exe	43
PID 2988 wrote to memory of 1960	2988	remcos.exe	44
PID 2988 wrote to memory of 1960	2988	remcos.exe	44
PID 2988 wrote to memory of 1960	2988	remcos.exe	44
PID 2988 wrote to memory of 1960	2988	remcos.exe	44
PID 1960 wrote to memory of 688	1960	remcos.exe	45
PID 1960 wrote to memory of 688	1960	remcos.exe	45
PID 1960 wrote to memory of 688	1960	remcos.exe	45
PID 1960 wrote to memory of 688	1960	remcos.exe	45
PID 688 wrote to memory of 320	688	hab.exe	46
PID 688 wrote to memory of 320	688	hab.exe	46
PID 688 wrote to memory of 320	688	hab.exe	46
PID 688 wrote to memory of 320	688	hab.exe	46
PID 320 wrote to memory of 2348	320	hab.exe	47
PID 320 wrote to memory of 2348	320	hab.exe	47
PID 320 wrote to memory of 2348	320	hab.exe	47
PID 320 wrote to memory of 2348	320	hab.exe	47

C:\Users\Admin\AppData\Local\Temp\b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
"C:\Users\Admin\AppData\Local\Temp\b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe
  "C:\Users\Admin\AppData\Local\Temp\b79ae94c089b3b1b77465c494e42de5032c1d7d40059559d905fe2ea5e450593.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        29⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        30⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        40⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        42⤵
        Loads dropped DLL
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        46⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        48⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        52⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        54⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        58⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        59⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        60⤵
        Loads dropped DLL
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        63⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        64⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        66⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        67⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        68⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        69⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        70⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        72⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        73⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        74⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        75⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        76⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        77⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        78⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        79⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9568f037cd23ecd652f92b7f322e7e13

SHA1
3a6e0ac92730ad41fe4feb409bfe50309a0ab9f4

SHA256
29ae121160064d80f04623e428703683c90657e44a40462f064930b8eb99d961

SHA512
0625fb8f4c325b25103eda07598e6f75a6d57b0ae931726d511cf2d9085766aa2ab63f6727cbbb04c5994b4629a877e2832746691609fd729834a1b80bccbaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ec71425feaef5d4e9a4c9537d43d1959

SHA1
b940848d93068d9cb3cb4fb813ec44defe60afc5

SHA256
560615b3bb52b010cd06aa97b87fbea96650e31ac844561c13fc94244ca6237a

SHA512
38ae26a144b543c858d74cea26954e61fa2dd9ffffee4caba06dc0d096a3e102841f1eb4d1fecc0a87c7d5ef25645a3e91438a973c77aa79fbe5c95ec23b9b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
1eb29a8da750b42f09915041bc135b2e

SHA1
18a9389f126a055ab455314811b29d4a1ba9a5df

SHA256
5c08b720c20f366efa5767f44c6ef572e70e41ddb27711cd511b41e27be1c9b7

SHA512
8bf23d1afde38af5584b452ffff7edaa9a2bf15b00abee6e5f5ae9038d08fa8acec3e3387bfe2fe97a910ffd293f1e25afe0089d30628a67898d9d5876ca96df

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
d866c9cb1daeee4f94657a47d92c437b

SHA1
979fd17fa4df9c2b84bac987d58a4c88bf40f99f

SHA256
cf14290e2114d0995c9967f6170632d186ffa06e9946e29be32b60e0bc0e121e

SHA512
71a2bce73bbeeca16f0f8bd6df35923c10f24609f1a00a7b398add8a7421d8da519136b6005dceb3287e3c4a6842565481781f45725923323f0d408915a4469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
98fc19e470e7969b6c8694993685a737

SHA1
791d6adc6d312cdce6ecff8fee9cd181129e5f2a

SHA256
40b8fd5f0250691ac7b2a04c7a049314f9ee5f0e5ef77e7b78a1226e33c06f6b

SHA512
43855bca6fbc2ff0e6ff39c9141c5b997c705b6ea594db9b8e374ff8d656f901d0146516e5291b0779b48bc7275585eed1f86365d0a1662055cdad0c5d3c10aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9c597d7f19f9a8c70a71846e6e988e71

SHA1
0a5eecbc086ee9654bb18a14c33969737e77d3d5

SHA256
a61c99e655d3fa0e4c94943aecbadb6fb327295005132df0c486783def3ef7ef

SHA512
a6bc5ce10f4c4e153a3d51d0833b9c4ad9c8df27c99d3d0c42dd6560db08df0db9ffa4098db883dbafe72213b3b4e6fc65468662a5f99f3cfebfad6fb7ae7e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
5917108b409855e297b4fc1543808a87

SHA1
fc35874380f1221d0c5588f7d7009df8e75d60e4

SHA256
eef08e3f50729a3e7d6f501acf001f10959db4b2ac2b2ba5beef449946337a65

SHA512
66b07143cfcba629ac0f1f92a7ff2bb9effa590b0ebc8de02605c0711a6b688b80e006cef132e47597511f3afd12f02dc973d58f463ae7a080b558ef3becf623

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
ad52c6991da7cef5b5a93690d37cb6d8

SHA1
0ee4a135cffd73fc4ad1f537c6b84dddc485d945

SHA256
d901158d758a8457eba45807f7ff1840b8d5d6131e8d2900de258ca44f8f00b0

SHA512
3ff677ef50768b151855723d849414a9ccf644507bac0c89c5cd677c5fc66b88ca835d720aac8171ba8b3fa37155e80fb2a8ce7df8fe96d9a24fc2f5fbfc7bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7ae5f06b92fe1286440027cb9ca48c75

SHA1
5733476a88b7ebb59e5077da4f81b380ff7da603

SHA256
404d3996f211c41ef34ca3a2ca1416415fbae39b356d86d3e8a5fef487b2ef7c

SHA512
68c59794d9f06625366908d17f50b08c1b898f78cbecf595ce7209c3b6f048b8e39306d850b9e6ad29aa379103222c4d62b177fb02986bf6383da621fff36655

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
10666267339dc714ba26a45ed5cfc83c

SHA1
b780692d4825427e70752f339ce22cff1d6d4397

SHA256
e23cc35609d2649a58df7000eee372650d81778d5a77d069bb837845ce35b1f5

SHA512
880fe87295e786c8dd9aefbce29c30fea3b669a2acb7f1ff34223f3c54ea09eb53cd12fb2d214772442523951c4c3afdc1964e73c4f33d25b3f6820a52b1e1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
7c26af0a1559002169d352fc573cac6b

SHA1
fa274d7d42c3a958a2dc1e850e367068add1c23c

SHA256
41a09cb6592aa2ea974d0dee3009dcb4e1cb2e3ed05f7dfd5d9be13f828880e1

SHA512
472a425dac75af84b76046a97ebe59111b6039db4f8b836bdb15e4fa94512f117e6dd25a5de900062650c803cd6e89c6aef282754d236dea29cc8d405d47b5bd

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
b0edc38e8b6ec5a17ad8ee905dbf1eb1

SHA1
8451b302076df50a8b75a19e5613a4beba9829d0

SHA256
984b2de2ecc55522e66e97a8c51f8aa3cc79b0106dff7ffc1e15504d21480cb7

SHA512
db53b1807666abe24ac53d59ff0479f5eb4aaece8423e7c8d18f9dec7bb8a28e2abd586c7b77006165a0d14af903f2d2f49863372c8aa10a932982afe73fa4bf

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
90006d35343969cc4f7e05dbff1fffb4

SHA1
1c045caa5393f9720af5fc8a2053ae68c1773f5b

SHA256
00f0a245d7eaabec61ddc7e0ccf91bc4cdd89a410af02e8b62fdec03d7e30558

SHA512
5be5fc92502a2aa12fcdba56a18e6f7d5a745164edad9e141d363504b4392c4fbbca1a8330b7e32be0f3419f271301655452e348da5dbb8579bfd11c5a6c8622

Download Submit
memory/320-122-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/320-121-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/320-128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1376-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1376-165-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1376-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1408-197-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1408-199-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/1408-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1468-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1468-79-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1468-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-12-0x0000000077D20000-0x0000000077DF6000-memory.dmp

Filesize
856KB

Download
memory/1612-2-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1612-13-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1612-5-0x0000000077B30000-0x0000000077CD9000-memory.dmp

Filesize
1.7MB

Download
memory/1612-4-0x0000000077B31000-0x0000000077C32000-memory.dmp

Filesize
1.0MB

Download
memory/1736-340-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1736-334-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1736-332-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1776-367-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1776-359-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1776-361-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1788-415-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/1788-413-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1788-421-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1956-305-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1956-313-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-280-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2196-286-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2764-232-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2764-226-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2764-225-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2784-22-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2920-386-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2920-394-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2964-34-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2964-36-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2964-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3024-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3024-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3024-253-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads