quasar | 4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a

General

Target

Remcos v4.9.3 Light MOD.exe
Size

40.3MB
MD5

d3de21913cdebc1c84d668de22831d85
SHA1

2619ebb87016473c06ed820a8d26120b704b8023
SHA256

4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a
SHA512

bccee54ff31b9321020276c311f609951c47dac790ddfc47bcca0d19052fcd5d27340cb99d87f4c762e11c99f39a2b7cbe379d2fabdc8da91c637adccd8339cf
SSDEEP

786432:MukwgGc0LdSPyiMJj2uK0P7ts6CcEwVOgjxBdgoz8pF4zqIdvXO/:Xc0QaiYj2AP7y62wV5jxBXVPG

Score

10^/10

quasar remcos spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Remcos

C2

team-circles.gl.at.ply.gg:25349

Mutex

109bae44-c7e4-46f2-82cd-2c3efb4dc47e

Attributes

encryption_key
78AF43F549EE55D0FC30D38EC96EAA6F3A3F5CDF
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
WD Defender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	family_quasar
behavioral1/memory/3560-18-0x0000000000B00000-0x0000000000E24000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Remcos v4.9.3 Light MOD.exe

Executes dropped EXE 54 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exe

pid	process
3560	Runtime Broker.exe
5116	Runtime Broker.exe
2740	Runtime Broker.exe
4512	Runtime Broker.exe
392	Runtime Broker.exe
1724	Runtime Broker.exe
3976	Runtime Broker.exe
3936	Runtime Broker.exe
4792	Runtime Broker.exe
2280	Runtime Broker.exe
4432	Runtime Broker.exe
32	Runtime Broker.exe
2156	Runtime Broker.exe
2100	Runtime Broker.exe
4512	Runtime Broker.exe
1680	Runtime Broker.exe
1172	Runtime Broker.exe
2232	Runtime Broker.exe
2016	Runtime Broker.exe
3068	Runtime Broker.exe
1432	Runtime Broker.exe
628	Runtime Broker.exe
4332	Runtime Broker.exe
532	Runtime Broker.exe
4688	Runtime Broker.exe
3692	Runtime Broker.exe
2520	Runtime Broker.exe
3408	Runtime Broker.exe
4588	Runtime Broker.exe
1792	Runtime Broker.exe
4876	Runtime Broker.exe
3976	Runtime Broker.exe
4612	Runtime Broker.exe
2764	Runtime Broker.exe
4756	Runtime Broker.exe
1580	Runtime Broker.exe
2528	Runtime Broker.exe
1768	Runtime Broker.exe
2848	Runtime Broker.exe
2000	Runtime Broker.exe
5064	Runtime Broker.exe
3120	Runtime Broker.exe
1160	Runtime Broker.exe
2668	Runtime Broker.exe
3812	Runtime Broker.exe
4512	Runtime Broker.exe
4216	Runtime Broker.exe
3696	Runtime Broker.exe
4956	Runtime Broker.exe
1656	Runtime Broker.exe
2080	Runtime Broker.exe
2144	Runtime Broker.exe
408	Runtime Broker.exe
3288	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2408 schtasks.exe
4920 schtasks.exe
4664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Runtime Broker.exe

pid process

5116 Runtime Broker.exe

pid	process
2408	schtasks.exe
4920	schtasks.exe
4664	schtasks.exe

pid	process
5116	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exe

description	pid	process
Token: SeDebugPrivilege	3560	Runtime Broker.exe
Token: SeDebugPrivilege	5116	Runtime Broker.exe
Token: SeDebugPrivilege	2740	Runtime Broker.exe
Token: SeDebugPrivilege	4512	Runtime Broker.exe
Token: SeDebugPrivilege	392	Runtime Broker.exe
Token: SeDebugPrivilege	1724	Runtime Broker.exe
Token: SeDebugPrivilege	3976	Runtime Broker.exe
Token: SeDebugPrivilege	3936	Runtime Broker.exe
Token: SeDebugPrivilege	4792	Runtime Broker.exe
Token: SeDebugPrivilege	2280	Runtime Broker.exe
Token: SeDebugPrivilege	4432	Runtime Broker.exe
Token: SeDebugPrivilege	32	Runtime Broker.exe
Token: SeDebugPrivilege	2156	Runtime Broker.exe
Token: SeDebugPrivilege	2100	Runtime Broker.exe
Token: SeDebugPrivilege	4512	Runtime Broker.exe
Token: SeDebugPrivilege	1680	Runtime Broker.exe
Token: SeDebugPrivilege	1172	Runtime Broker.exe
Token: SeDebugPrivilege	2232	Runtime Broker.exe
Token: SeDebugPrivilege	2016	Runtime Broker.exe
Token: SeDebugPrivilege	3068	Runtime Broker.exe
Token: SeDebugPrivilege	1432	Runtime Broker.exe
Token: SeDebugPrivilege	628	Runtime Broker.exe
Token: SeDebugPrivilege	4332	Runtime Broker.exe
Token: SeDebugPrivilege	532	Runtime Broker.exe
Token: SeDebugPrivilege	4688	Runtime Broker.exe
Token: SeDebugPrivilege	3692	Runtime Broker.exe
Token: SeDebugPrivilege	2520	Runtime Broker.exe
Token: SeDebugPrivilege	3408	Runtime Broker.exe
Token: SeDebugPrivilege	4588	Runtime Broker.exe
Token: SeDebugPrivilege	1792	Runtime Broker.exe
Token: SeDebugPrivilege	4876	Runtime Broker.exe
Token: SeDebugPrivilege	3976	Runtime Broker.exe
Token: SeDebugPrivilege	4612	Runtime Broker.exe
Token: SeDebugPrivilege	2764	Runtime Broker.exe
Token: SeDebugPrivilege	4756	Runtime Broker.exe
Token: SeDebugPrivilege	1580	Runtime Broker.exe
Token: SeDebugPrivilege	2528	Runtime Broker.exe
Token: SeDebugPrivilege	1768	Runtime Broker.exe
Token: SeDebugPrivilege	2848	Runtime Broker.exe
Token: SeDebugPrivilege	2000	Runtime Broker.exe
Token: SeDebugPrivilege	5064	Runtime Broker.exe
Token: SeDebugPrivilege	3120	Runtime Broker.exe
Token: SeDebugPrivilege	1160	Runtime Broker.exe
Token: SeDebugPrivilege	2668	Runtime Broker.exe
Token: SeDebugPrivilege	3812	Runtime Broker.exe
Token: SeDebugPrivilege	4512	Runtime Broker.exe
Token: SeDebugPrivilege	4216	Runtime Broker.exe
Token: SeDebugPrivilege	3696	Runtime Broker.exe
Token: SeDebugPrivilege	4956	Runtime Broker.exe
Token: SeDebugPrivilege	1656	Runtime Broker.exe
Token: SeDebugPrivilege	2080	Runtime Broker.exe
Token: SeDebugPrivilege	2144	Runtime Broker.exe
Token: SeDebugPrivilege	408	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Runtime Broker.exe

pid process

392 Runtime Broker.exe

pid	process
392	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Remcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRuntime Broker.exeRemcos v4.9.3 Light MOD.exeRuntime Broker.exeRuntime Broker.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exeRemcos v4.9.3 Light MOD.exe

description	pid	process	target process
PID 220 wrote to memory of 3240	220	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 220 wrote to memory of 3240	220	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 220 wrote to memory of 3560	220	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 220 wrote to memory of 3560	220	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 3240 wrote to memory of 2816	3240	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 3240 wrote to memory of 2816	3240	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 3560 wrote to memory of 2408	3560	Runtime Broker.exe	schtasks.exe
PID 3560 wrote to memory of 2408	3560	Runtime Broker.exe	schtasks.exe
PID 3240 wrote to memory of 5116	3240	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 3240 wrote to memory of 5116	3240	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 3560 wrote to memory of 2740	3560	Runtime Broker.exe	Runtime Broker.exe
PID 3560 wrote to memory of 2740	3560	Runtime Broker.exe	Runtime Broker.exe
PID 2816 wrote to memory of 2108	2816	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2816 wrote to memory of 2108	2816	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2816 wrote to memory of 4512	2816	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 2816 wrote to memory of 4512	2816	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4512 wrote to memory of 4920	4512	Runtime Broker.exe	schtasks.exe
PID 4512 wrote to memory of 4920	4512	Runtime Broker.exe	schtasks.exe
PID 4512 wrote to memory of 392	4512	Runtime Broker.exe	Runtime Broker.exe
PID 4512 wrote to memory of 392	4512	Runtime Broker.exe	Runtime Broker.exe
PID 392 wrote to memory of 4664	392	Runtime Broker.exe	schtasks.exe
PID 392 wrote to memory of 4664	392	Runtime Broker.exe	schtasks.exe
PID 2108 wrote to memory of 880	2108	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2108 wrote to memory of 880	2108	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2108 wrote to memory of 1724	2108	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 2108 wrote to memory of 1724	2108	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 880 wrote to memory of 2016	880	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 880 wrote to memory of 2016	880	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 880 wrote to memory of 3976	880	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 880 wrote to memory of 3976	880	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 2016 wrote to memory of 1656	2016	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2016 wrote to memory of 1656	2016	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2016 wrote to memory of 3936	2016	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 2016 wrote to memory of 3936	2016	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1656 wrote to memory of 4924	1656	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1656 wrote to memory of 4924	1656	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1656 wrote to memory of 4792	1656	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1656 wrote to memory of 4792	1656	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4924 wrote to memory of 1580	4924	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 4924 wrote to memory of 1580	4924	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 4924 wrote to memory of 2280	4924	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4924 wrote to memory of 2280	4924	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1580 wrote to memory of 316	1580	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1580 wrote to memory of 316	1580	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1580 wrote to memory of 4432	1580	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1580 wrote to memory of 4432	1580	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 316 wrote to memory of 4308	316	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 316 wrote to memory of 4308	316	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 316 wrote to memory of 32	316	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 316 wrote to memory of 32	316	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4308 wrote to memory of 1472	4308	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 4308 wrote to memory of 1472	4308	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 4308 wrote to memory of 2156	4308	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4308 wrote to memory of 2156	4308	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1472 wrote to memory of 100	1472	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1472 wrote to memory of 100	1472	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 1472 wrote to memory of 2100	1472	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 1472 wrote to memory of 2100	1472	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 100 wrote to memory of 4828	100	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 100 wrote to memory of 4828	100	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 100 wrote to memory of 4512	100	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 100 wrote to memory of 4512	100	Remcos v4.9.3 Light MOD.exe	Runtime Broker.exe
PID 4828 wrote to memory of 1736	4828	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe
PID 4828 wrote to memory of 1736	4828	Remcos v4.9.3 Light MOD.exe	Remcos v4.9.3 Light MOD.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
9⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
12⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
13⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
14⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
15⤵
- Checks computer location settings
PID:1736

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
16⤵
- Checks computer location settings
PID:2872

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
17⤵
- Checks computer location settings
PID:880

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
18⤵
- Checks computer location settings
PID:3720

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
19⤵
- Checks computer location settings
PID:4944

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
20⤵
- Checks computer location settings
PID:3480

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
21⤵
- Checks computer location settings
PID:4640

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
22⤵
- Checks computer location settings
PID:4432

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
23⤵
- Checks computer location settings
PID:4580

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
24⤵
- Checks computer location settings
PID:1088

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
25⤵
- Checks computer location settings
PID:1216

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
26⤵
- Checks computer location settings
PID:1116

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
27⤵
- Checks computer location settings
PID:4980

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
28⤵
- Checks computer location settings
PID:3124

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
29⤵
- Checks computer location settings
PID:2892

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
30⤵
- Checks computer location settings
PID:1920

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
31⤵
- Checks computer location settings
PID:336

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
32⤵
- Checks computer location settings
PID:1884

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
33⤵
- Checks computer location settings
PID:3736

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
34⤵
- Checks computer location settings
PID:4596

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
35⤵
- Checks computer location settings
PID:1084

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
36⤵
- Checks computer location settings
PID:788

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
37⤵
- Checks computer location settings
PID:1448

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
38⤵
- Checks computer location settings
PID:2060

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
39⤵
- Checks computer location settings
PID:1304

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
40⤵
- Checks computer location settings
PID:2772

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
41⤵
- Checks computer location settings
PID:3988

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
42⤵
- Checks computer location settings
PID:1300

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
43⤵
- Checks computer location settings
PID:1104

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
44⤵
- Checks computer location settings
PID:224

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
45⤵
- Checks computer location settings
PID:2300

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
46⤵
- Checks computer location settings
PID:1620

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
47⤵
- Checks computer location settings
PID:4136

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
48⤵
- Checks computer location settings
PID:3976

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
49⤵
- Checks computer location settings
PID:4744

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
50⤵
- Checks computer location settings
PID:2712

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
51⤵
- Checks computer location settings
PID:2280

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
52⤵
- Checks computer location settings
PID:1804

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
53⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
53⤵
- Executes dropped EXE
PID:3288

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4920

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4664

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2408

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Remcos v4.9.3 Light MOD.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.1MB

MD5
0296021acfb4f37e63df4de7461ebfd9

SHA1
14117dba6ce87cbb6561ebdfffec60cb21860800

SHA256
4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a

SHA512
ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

Download Submit
memory/220-0-0x00007FF8C7273000-0x00007FF8C7275000-memory.dmp

Filesize
8KB

Download
memory/220-15-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/220-2-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/220-1-0x0000000000740000-0x0000000002F94000-memory.dmp

Filesize
40.3MB

Download
memory/392-37-0x000000001C2F0000-0x000000001C340000-memory.dmp

Filesize
320KB

Download
memory/392-38-0x000000001C400000-0x000000001C4B2000-memory.dmp

Filesize
712KB

Download
memory/3240-11-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-23-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3560-17-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3560-18-0x0000000000B00000-0x0000000000E24000-memory.dmp

Filesize
3.1MB

Download
memory/3560-19-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3560-29-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads