Malware Analysis Report

2024-08-06 11:21

Sample ID 240615-tlgchszgmm
Target Remcos v4.9.3 Light MOD.exe
SHA256 4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a
Tags
quasar remcos spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a

Threat Level: Known bad

The file Remcos v4.9.3 Light MOD.exe was found to be: Known bad.

Malicious Activity Summary

quasar remcos spyware trojan

Quasar RAT

Quasar payload

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 16:08

Reported

2024-06-15 16:11

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 220 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 220 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 220 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3240 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 3240 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 3560 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3560 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3240 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3240 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 3560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 3560 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2816 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2816 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2816 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2816 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4512 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4512 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4512 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 4512 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 392 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 392 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2108 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2108 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2108 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2108 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 880 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 880 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 880 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 880 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2016 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2016 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2016 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2016 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1656 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1656 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1656 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1656 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4924 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4924 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1580 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1580 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1580 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1580 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 316 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 316 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 316 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 316 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4308 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4308 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4308 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4308 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1472 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1472 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 1472 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 1472 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 100 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 100 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 100 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 100 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4828 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4828 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp

Files

memory/220-0-0x00007FF8C7273000-0x00007FF8C7275000-memory.dmp

memory/220-1-0x0000000000740000-0x0000000002F94000-memory.dmp

memory/220-2-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 0296021acfb4f37e63df4de7461ebfd9
SHA1 14117dba6ce87cbb6561ebdfffec60cb21860800
SHA256 4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a
SHA512 ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

memory/3240-11-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

memory/220-15-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

memory/3560-17-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

memory/3560-18-0x0000000000B00000-0x0000000000E24000-memory.dmp

memory/3560-19-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Remcos v4.9.3 Light MOD.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3240-23-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

memory/3560-29-0x00007FF8C7270000-0x00007FF8C7D31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/392-37-0x000000001C2F0000-0x000000001C340000-memory.dmp

memory/392-38-0x000000001C400000-0x000000001C4B2000-memory.dmp