remcos | ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 6 IoCs

pid	Process
5188	hab.exe
3040	hab.exe
4804	remcos.exe
1040	hab.exe
2952	remcos.exe
4844	hab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
File opened for modification	C:\Windows\win.ini	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	hab.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5188	hab.exe
5188	hab.exe
3040	hab.exe
3040	hab.exe
4804	remcos.exe
4804	remcos.exe
1040	hab.exe
1040	hab.exe
2952	remcos.exe
2952	remcos.exe
4844	hab.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5188	hab.exe
5188	hab.exe
3040	hab.exe
3040	hab.exe
4804	remcos.exe
4804	remcos.exe
1040	hab.exe
1040	hab.exe
2952	remcos.exe
2952	remcos.exe
4844	hab.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
5188	hab.exe
3040	hab.exe
4804	remcos.exe
1040	hab.exe
2952	remcos.exe
4844	hab.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5284 wrote to memory of 5456	5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	88
PID 5284 wrote to memory of 5456	5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	88
PID 5284 wrote to memory of 5456	5284	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	88
PID 5456 wrote to memory of 5188	5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	89
PID 5456 wrote to memory of 5188	5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	89
PID 5456 wrote to memory of 5188	5456	ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe	89
PID 5188 wrote to memory of 3040	5188	hab.exe	90
PID 5188 wrote to memory of 3040	5188	hab.exe	90
PID 5188 wrote to memory of 3040	5188	hab.exe	90
PID 4968 wrote to memory of 4656	4968	cmd.exe	95
PID 4968 wrote to memory of 4656	4968	cmd.exe	95
PID 4548 wrote to memory of 4804	4548	cmd.exe	96
PID 4548 wrote to memory of 4804	4548	cmd.exe	96
PID 4548 wrote to memory of 4804	4548	cmd.exe	96
PID 3040 wrote to memory of 3332	3040	hab.exe	97
PID 3040 wrote to memory of 3332	3040	hab.exe	97
PID 3040 wrote to memory of 3332	3040	hab.exe	97
PID 4656 wrote to memory of 1040	4656	wscript.exe	98
PID 4656 wrote to memory of 1040	4656	wscript.exe	98
PID 4656 wrote to memory of 1040	4656	wscript.exe	98
PID 4804 wrote to memory of 2952	4804	remcos.exe	100
PID 4804 wrote to memory of 2952	4804	remcos.exe	100
PID 4804 wrote to memory of 2952	4804	remcos.exe	100
PID 1040 wrote to memory of 4844	1040	hab.exe	167
PID 1040 wrote to memory of 4844	1040	hab.exe	167
PID 1040 wrote to memory of 4844	1040	hab.exe	167

C:\Users\Admin\AppData\Local\Temp\ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
"C:\Users\Admin\AppData\Local\Temp\ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Users\Admin\AppData\Local\Temp\ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe
  "C:\Users\Admin\AppData\Local\Temp\ed85b2c5087e8b1b36ce0ae7c3c7532ce415fe626069774af7007b40443df0ab.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4844
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:3360
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5184
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3152
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:2712
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:5748
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5324
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:5344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:1496
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:5956
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:5792
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:2172
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5508
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5468
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:5784
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2536
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4900
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:4876
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:5652
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:544
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3924
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:5996
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:6052
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2212
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

2

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

2

Defense Evasion

Modify Registry

3

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

2

T1082

System Location Discovery

T1614

System Language Discovery