Edit tour

Windows Analysis Report
RuntimeBroker.exe

Overview

General Information

Sample name:	RuntimeBroker.exe
Analysis ID:	1500468
MD5:	864daf03da104a8aa3ba7c2ed5ffddbc
SHA1:	0811c39fd76395ed47646310bf5ecf57a0ac8ce4
SHA256:	579dfced8f02a7e1e6e8df10c400117d3127ead7231776a1e467eb507261e920
Tags:	exe
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sigma detected: System File Execution Location Anomaly

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

RuntimeBroker.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\RuntimeBroker.exe" MD5: 864DAF03DA104A8AA3BA7C2ED5FFDDBC)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\RuntimeBroker.exe, NewProcessName: C:\Users\user\Desktop\RuntimeBroker.exe, OriginalFileName: C:\Users\user\Desktop\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", ProcessId: 7416, ProcessName: RuntimeBroker.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: RuntimeBroker.exe

Static PE information: certificate valid

Source: RuntimeBroker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: RuntimeBroker.pdbUGP source: RuntimeBroker.exe
Source:	Binary string: RuntimeBroker.pdb source: RuntimeBroker.exe

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EEC7470 NtQueryWnfStateData,GetProcAddress,

0_2_00007FF64EEC7470

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC32C0	0_2_00007FF64EEC32C0
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC7594	0_2_00007FF64EEC7594
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC2940	0_2_00007FF64EEC2940
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC26C0	0_2_00007FF64EEC26C0

Source: RuntimeBroker.exe

Binary or memory string: OriginalFilename vs RuntimeBroker.exe

Source: classification engine

Classification label: sus24.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EEC3040 SetErrorMode,SetProcessShutdownParameters,CoInitializeEx,CoIncrementMTAUsage,CoCreateInstance,#99,CoInitializeSecurity,CoDecrementMTAUsage,EtwEventUnregister,PowerSettingUnregisterNotification,CloseHandle,GetCurrentProcess,TerminateProcess,

0_2_00007FF64EEC3040

Source: RuntimeBroker.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: umpdc.dll	Jump to behavior

Source: RuntimeBroker.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: RuntimeBroker.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RuntimeBroker.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RuntimeBroker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: RuntimeBroker.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RuntimeBroker.pdbUGP source: RuntimeBroker.exe
Source:	Binary string: RuntimeBroker.pdb source: RuntimeBroker.exe

Source: RuntimeBroker.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RuntimeBroker.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RuntimeBroker.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RuntimeBroker.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RuntimeBroker.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: RuntimeBroker.exe

Static PE information: 0x6B2DB9AF [Fri Dec 25 00:32:47 2026 UTC]

Source: RuntimeBroker.exe

Static PE information: section name: .imrsiv

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-5055

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EECF60C VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

0_2_00007FF64EECF60C

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EECEF7C IsDebuggerPresent,

0_2_00007FF64EECEF7C

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EECA014 GetProcessHeap,HeapFree,

0_2_00007FF64EECA014

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC6470 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF64EEC6470
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC5E68 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF64EEC5E68
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_00007FF64EEC6668 SetUnhandledExceptionFilter,	0_2_00007FF64EEC6668

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_00007FF64EEC630C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF64EEC630C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Timestomp	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RuntimeBroker.exe	0%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500468
Start date and time:	2024-08-28 14:38:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RuntimeBroker.exe
Detection:	SUS
Classification:	sus24.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: RuntimeBroker.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.337301399311605
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RuntimeBroker.exe
File size:	102'832 bytes
MD5:	864daf03da104a8aa3ba7c2ed5ffddbc
SHA1:	0811c39fd76395ed47646310bf5ecf57a0ac8ce4
SHA256:	579dfced8f02a7e1e6e8df10c400117d3127ead7231776a1e467eb507261e920
SHA512:	2c96d780e809c5153e0239dd0d3e4f34a6195b4ae8b651a3299c5a2cff5db779fba4c9d54044444a375e36686d8e86f2d8ac5438b534bbe103dbc4384adf7cc2
SSDEEP:	3072:dJemf/mcwOwR0G94tunr/nhxm+AofjOkjf/:dJemfDwvR0G94EnrGZAjOE
TLSH:	13A36C6E22A830D9E47B52BCC5D24606E7B1B430131257EF06A0C5BD0F27BD5AE39F56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[K............A......R..R..........A......A......A......A......Aq.....As.....A.....Rich...........PE..d.....-k...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140005e10
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6B2DB9AF [Fri Dec 25 00:32:47 2026 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	d4d98acf3243e0c97c83c6548571a44e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	16/11/2023 19:20:08 14/11/2024 19:20:08
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	1E2354965A83BD0EB745A2611567E5DF
Thumbprint SHA-1:	71F53A26BB1625E466727183409A30D03D7923DF
Thumbprint SHA-256:	CE08760345BD5A18AA9091E6F083522AD593BD42F587699E025AFD55BE589334
Serial:	330000045FF3C96C1A7FF7DA1D00000000045F

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE89C926EB8h
dec eax
add esp, 28h
jmp 00007FE89C926833h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00011289h]
jne 00007FE89C9269D5h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FE89C9269C5h
ret
dec eax
ror ecx, 10h
jmp 00007FE89C926A34h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [0000B7F1h]
mov ecx, 00000001h
mov dword ptr [0001181Eh], eax
call 00007FE89C926F9Eh
xor ecx, ecx
call dword ptr [0000B801h]
dec eax
mov ecx, ebx
call dword ptr [0000B7F0h]
cmp dword ptr [00011801h], 00000000h
jne 00007FE89C9269CCh
mov ecx, 00000001h
call 00007FE89C926F7Ah
call dword ptr [0000B8EFh]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000B8B3h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14dd0	0x2e4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18000	0x13d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16800	0x29b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1b000	0x158	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12910	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x111e0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11590	0x650	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe75d	0xe800	db8d480a3344ac6953cef18a1d64afe5	False	0.5401400862068966	data	6.130989005624656	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.imrsiv	0x10000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11000	0x597e	0x5a00	0fa260a97d9b497e4ca205dd17c2f646	False	0.38446180555555554	data	5.037831171378161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0xcb8	0x200	c44a01605dc1a307054db0e92aeec2dd	False	0.166015625	data	1.0142839915743904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18000	0x13d4	0x1400	140d4dd1279d1b87c8d59ab149d942fe	False	0.4953125	PEX Binary Archive	4.953094732387179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x958	0xa00	f9adbad9bac51281f82e113a1e7c13dc	False	0.400390625	data	4.556481347061354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1b000	0x158	0x200	0a449cec708320ce6ef29e182baffa42	False	0.533203125	data	4.029164530294979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1a5b0	0x3a4	data	English	United States	0.44527896995708155
RT_MANIFEST	0x1a0a0	0x50b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42989930286599537

Imports

DLL	Import
api-ms-win-crt-runtime-l1-1-0.dll	_register_thread_local_exe_atexit_callback, _c_exit, _initterm_e, _initterm
api-ms-win-crt-private-l1-1-0.dll	_o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__purecall, _o__register_onexit_function, _o__resetstkoflw, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o__exit, _o_exit, _o_terminate, __C_specific_handler, __CxxFrameHandler3, _o___stdio_common_vswprintf, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__errno, _o__cexit, memcmp, _o___p__commode, memcpy
api-ms-win-crt-string-l1-1-0.dll	wcsncmp, memset
ntdll.dll	EtwTraceMessage, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlNtStatusToDosError, RtlEqualSid, RtlIsMultiSessionSku, RtlQueryPackageClaims, RtlQueryPackageIdentity, EtwEventRegister, EtwEventUnregister, EtwEventWriteTransfer, EtwEventSetInformation
api-ms-win-security-base-l1-1-0.dll	GetKernelObjectSecurity, PrivilegeCheck, AccessCheckByType, GetTokenInformation, GetLengthSid, CreateWellKnownSid, CopySid, MapGenericMask, AccessCheck
api-ms-win-core-com-l1-1-0.dll	CoTaskMemAlloc, CoReleaseServerProcess, CoAddRefServerProcess, CoCreateInstance, CoCreateFreeThreadedMarshaler, CoFreeUnusedLibrariesEx, CoTaskMemFree, CoImpersonateClient, CoRegisterClassObject, CoGetCallContext, CoRevokeClassObject, CoResumeClassObjects, CoInitializeEx, CoDecrementMTAUsage, CoRevertToSelf, CoInitializeSecurity, CoIncrementMTAUsage
api-ms-win-core-libraryloader-l1-2-0.dll	GetModuleFileNameA, GetProcAddress, GetModuleHandleExW, GetModuleHandleW
api-ms-win-power-setting-l1-1-0.dll	PowerSettingUnregisterNotification, PowerSettingRegisterNotification
api-ms-win-core-synch-l1-2-0.dll	InitOnceExecuteOnce, InitOnceBeginInitialize, InitOnceComplete
api-ms-win-core-registry-l1-1-0.dll	RegCloseKey, RegOpenKeyExW, RegQueryValueExW
api-ms-win-core-synch-l1-1-0.dll	ReleaseMutex, CreateEventW, InitializeCriticalSectionEx, AcquireSRWLockShared, LeaveCriticalSection, CreateMutexExW, SetEvent, OpenSemaphoreW, ReleaseSRWLockShared, AcquireSRWLockExclusive, DeleteCriticalSection, WaitForSingleObjectEx, WaitForSingleObject, ReleaseSemaphore, CreateSemaphoreExW, EnterCriticalSection, ReleaseSRWLockExclusive
api-ms-win-core-winrt-error-l1-1-0.dll	RoGetErrorReportingFlags, RoOriginateError, RoOriginateErrorW, RoSetErrorReportingFlags
api-ms-win-core-heap-l1-1-0.dll	GetProcessHeap, HeapAlloc, HeapSetInformation, HeapFree
api-ms-win-core-errorhandling-l1-1-0.dll	RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, GetLastError, SetErrorMode
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsDeleteString, WindowsCreateStringReference, WindowsCreateString, WindowsGetStringRawBuffer
api-ms-win-core-processthreads-l1-1-0.dll	OpenThreadToken, GetStartupInfoW, TerminateProcess, SetThreadStackGuarantee, GetCurrentProcessId, SetProcessShutdownParameters, GetCurrentThreadId, GetCurrentProcess, GetCurrentThread
RPCRT4.dll	UuidEqual
api-ms-win-core-synch-l1-2-1.dll	WaitForMultipleObjects
api-ms-win-eventing-provider-l1-1-0.dll	EventWriteTransfer, EventUnregister, EventRegister, EventSetInformation
api-ms-win-core-processthreads-l1-1-1.dll	SetProcessMitigationPolicy, IsProcessorFeaturePresent, GetProcessMitigationPolicy
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoActivateInstance
api-ms-win-core-threadpool-l1-2-0.dll	WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer
api-ms-win-core-localization-l1-2-0.dll	FormatMessageW
api-ms-win-core-debug-l1-1-0.dll	OutputDebugStringW, IsDebuggerPresent, DebugBreak
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-heap-l2-1-0.dll	LocalFree
api-ms-win-core-psapi-l1-1-0.dll	QueryFullProcessImageNameW
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemInfo, GetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
combase.dll
api-ms-win-security-lsalookup-l1-1-0.dll	LsaLookupFreeMemory, LsaLookupClose, LsaLookupOpenLocalPolicy, LsaLookupGetDomainInfo
api-ms-win-appmodel-runtime-l1-1-1.dll	GetApplicationUserModelIdFromToken
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
RMCLIENT.dll	HamCloseActivity
api-ms-win-core-memory-l1-1-0.dll	VirtualAlloc, VirtualProtect, VirtualQuery

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• RuntimeBroker.exe

Click to jump to process

Memory Usage

• RuntimeBroker.exe

Click to jump to process

Target ID:	0
Start time:	08:38:53
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RuntimeBroker.exe"
Imagebase:	0x7ff64eec0000
File size:	102'832 bytes
MD5 hash:	864DAF03DA104A8AA3BA7C2ED5FFDDBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.1%
Total number of Nodes:	1351
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF64EEC32C0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 214
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC32D0
RegOpenKeyExW.KERNELBASE ref: 00007FF64EEC3329
#69.COMBASE ref: 00007FF64EEC334A
InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF64EEC339C
CoRegisterClassObject.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC33E6

Part of subcall function 00007FF64EEC35A0: CoCreateFreeThreadedMarshaler.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000000,00007FF64EEC341E), ref: 00007FF64EEC35DE

CoRegisterClassObject.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC3445
CoResumeClassObjects.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC3470
WaitForMultipleObjects.API-MS-WIN-CORE-SYNCH-L1-2-1 ref: 00007FF64EEC34B3
CoFreeUnusedLibrariesEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC34C8
CoRevokeClassObject.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC34F9
CoRevokeClassObject.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC350F
#69.COMBASE ref: 00007FF64EEC352D
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC354E
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF64EEC3561
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC357B

Part of subcall function 00007FF64EEC3600: RtlIsMultiSessionSku.NTDLL ref: 00007FF64EEC3630

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EEC8846
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64EEC88AE
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64EEC88D1

Strings

SOFTWARE\Microsoft\Ole\Extensions\AppCompat, xrefs: 00007FF64EEC3312
RuntimeBrokerIdleExitTimeout, xrefs: 00007FF64EEC889B

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Class$Object$CloseCreateExclusiveFreeLockObjectsOnceRegisterRevoke$AcquireErrorEventExecuteHandleInitLastLibrariesMarshalerMultiMultipleOpenQueryReleaseResumeSessionThreadedUnusedValueWait
String ID: RuntimeBrokerIdleExitTimeout$SOFTWARE\Microsoft\Ole\Extensions\AppCompat
API String ID: 1720284953-2752388663
Opcode ID: 25cf93062caf1ac11777a3095b713c40efa49ee0f3b794c08add41d4a2590d1b
Instruction ID: 091aa9c3f8234234e54caae35aa6da04b9bf8399777178542141e33851088b22
Opcode Fuzzy Hash: 25cf93062caf1ac11777a3095b713c40efa49ee0f3b794c08add41d4a2590d1b
Instruction Fuzzy Hash: 09B11A3AA0CB5386EB20BB14E8409797BA1FFA9B41F845175EA4E83764DFBDE445C700

Function 00007FF64EEC3040 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 149
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64EEC37C0: HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC37D7
Part of subcall function 00007FF64EEC37C0: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC37E3
Part of subcall function 00007FF64EEC37C0: GetProcessMitigationPolicy.KERNELBASE(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC3802
Part of subcall function 00007FF64EEC37C0: SetProcessMitigationPolicy.KERNELBASE ref: 00007FF64EEC3822
Part of subcall function 00007FF64EEC37C0: SetProcessMitigationPolicy.KERNELBASE(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC383F

SetErrorMode.KERNELBASE ref: 00007FF64EEC3054
SetProcessShutdownParameters.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EEC3065

Part of subcall function 00007FF64EEC4E7C: EtwEventRegister.NTDLL ref: 00007FF64EEC4EC7
Part of subcall function 00007FF64EEC4E7C: EtwEventSetInformation.NTDLL ref: 00007FF64EEC4EF2

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC307A
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC30B3
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC30EC
#99.COMBASE ref: 00007FF64EEC316C

Part of subcall function 00007FF64EEC36C8: RtlQueryPackageIdentity.NTDLL ref: 00007FF64EEC370F

CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC31EC
CoDecrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC321B
EtwEventUnregister.NTDLL ref: 00007FF64EEC323B
PowerSettingUnregisterNotification.API-MS-WIN-POWER-SETTING-L1-1-0 ref: 00007FF64EEC3253
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF64EEC3272
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EEC3285
TerminateProcess.KERNELBASE ref: 00007FF64EEC3296

Part of subcall function 00007FF64EEC3750: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC3771
Part of subcall function 00007FF64EEC3750: PowerSettingRegisterNotification.API-MS-WIN-POWER-SETTING-L1-1-0 ref: 00007FF64EEC37A5

Strings

H, xrefs: 00007FF64EEC31C8

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Process$Event$MitigationPolicy$CreateCurrentInformationInitializeNotificationPowerRegisterSettingUnregisterUsage$CloseDecrementErrorHandleHeapIdentityIncrementInstanceModePackageParametersQuerySecurityShutdownTerminate
String ID: H
API String ID: 617550459-2852464175
Opcode ID: 599b0346224084a25877cd22d9dd4c57c4b538764803e7ef0202359cfb087da7
Instruction ID: 7b071e1d242fe7eba40e45b194809af39fd30bd9ec574e7777a068666a458153
Opcode Fuzzy Hash: 599b0346224084a25877cd22d9dd4c57c4b538764803e7ef0202359cfb087da7
Instruction Fuzzy Hash: C1712939B0CA4386EB10BB51E840679BBA0FFA9B51F448175EA4E83765DFBDE448C700

Function 00007FF64EEC3BB0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00007FF64EEC3BED
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64EEC8FBA
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF64EEC9040

Strings

%!WINERROR!, xrefs: 00007FF64EEC9079
SOFTWARE\Microsoft\OLE\Diagnosis, xrefs: 00007FF64EEC3BD9
error %!WINERROR! type %d, xrefs: 00007FF64EEC900A
EnablePerStoreApplicationBrokerInstance, xrefs: 00007FF64EEC8FAE
onecore\com\combase\common\core\perappruntimebroker.cpp, xrefs: 00007FF64EEC9021, 00007FF64EEC9095
CheckPerAppBrokerInstancingRegistryValue, xrefs: 00007FF64EEC9015, 00007FF64EEC9089

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: %!WINERROR!$CheckPerAppBrokerInstancingRegistryValue$EnablePerStoreApplicationBrokerInstance$SOFTWARE\Microsoft\OLE\Diagnosis$error %!WINERROR! type %d$onecore\com\combase\common\core\perappruntimebroker.cpp
API String ID: 3677997916-685290384
Opcode ID: 306870c6963b1916a868d7878903f85fecc6b36e56131fdd7d9351f31c9c74c2
Instruction ID: 9ddbfefae41ece5800be1d6f497e34aee5cc3fb64182b6e2eb0a4164de091113
Opcode Fuzzy Hash: 306870c6963b1916a868d7878903f85fecc6b36e56131fdd7d9351f31c9c74c2
Instruction Fuzzy Hash: BA413E36A0C74386F720BB14E441B797BA0FBA9755F544236EA5D827A8CFBDE544C700

Function 00007FF64EEC5C90 Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF64EEC5C9F
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64EEC5CB4
__scrt_release_startup_lock.LIBCMT ref: 00007FF64EEC5D22
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF64EEC5D70
__scrt_get_show_window_mode.LIBCMT ref: 00007FF64EEC5D75
_o__get_wide_winmain_command_line.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF64EEC5D7D
__scrt_is_managed_app.LIBCMT ref: 00007FF64EEC5D98
_o__cexit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF64EEC5DA6
_o__exit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF64EEC5DFB

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 105026157-0
Opcode ID: 395f1534df9de8ab3adec9ee24f61f7a7a4b0758e2b300751a48127d34ce18a7
Instruction ID: 7e711ff0925455bd4f357e0e939256054d2c7cfd758da82f04286cde6af01f94
Opcode Fuzzy Hash: 395f1534df9de8ab3adec9ee24f61f7a7a4b0758e2b300751a48127d34ce18a7
Instruction Fuzzy Hash: C5315221F0C24385FA54BB6494593BB1F91BF71B88F444934F94DCB2E7DEEDA8088201

Function 00007FF64EEC37C0 Relevance: 7.5, APIs: 5, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC37D7
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC37E3
GetProcessMitigationPolicy.KERNELBASE(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC3802
SetProcessMitigationPolicy.KERNELBASE ref: 00007FF64EEC3822
SetProcessMitigationPolicy.KERNELBASE(?,?,?,00007FF64EEC304F), ref: 00007FF64EEC383F

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Process$MitigationPolicy$CurrentHeapInformation
String ID:
API String ID: 3749489763-0
Opcode ID: 677136a38e7d958ea9ecc17ae655fa23a4c397fcc89a5c215e0403869d97f88b
Instruction ID: f1ff0a6e40424abc5cf83b5e3ea2b71a938adbc7d369bec940f7126728f8ed0d
Opcode Fuzzy Hash: 677136a38e7d958ea9ecc17ae655fa23a4c397fcc89a5c215e0403869d97f88b
Instruction Fuzzy Hash: F8015E36618642C7E350AF11E4449B9BFA0FB9AB51F84A234EA0B82724DF79D144CB40

Function 00007FF64EEC4660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EEC4688
CreateMutexW.KERNELBASE ref: 00007FF64EEC46CF

Part of subcall function 00007FF64EEC5114: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC512D

Part of subcall function 00007FF64EEC58F0: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC58F4

Strings

Local\SM0:%d:%d:%hs, xrefs: 00007FF64EEC4699
wil, xrefs: 00007FF64EEC91D5, 00007FF64EEC9208

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Mutex$CreateCurrentObjectProcessReleaseSingleWait
String ID: Local\SM0:%d:%d:%hs$wil
API String ID: 273201903-2303653343
Opcode ID: 0fe779117beee832b1706a9ec7a4b0207ad036baf88f8acd9c56f510a3128e24
Instruction ID: 9da6216302147b09e2016b1f13736584e48a5f5ba6d220241e83da99dfdc1145
Opcode Fuzzy Hash: 0fe779117beee832b1706a9ec7a4b0207ad036baf88f8acd9c56f510a3128e24
Instruction Fuzzy Hash: B141303671DA8286E610BB51E4446BAAB55FFA9780F445031FA8E87799DFBCD444C700

Function 00007FF64EEC39F0 Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC3A66

Part of subcall function 00007FF64EEC5228: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC3A7A), ref: 00007FF64EEC5257
Part of subcall function 00007FF64EEC5228: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC3A7A), ref: 00007FF64EEC527F

ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC3AAA
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC3CFD
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC3D2F

Part of subcall function 00007FF64EEC3AD4: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECAD26), ref: 00007FF64EEC3B4D
Part of subcall function 00007FF64EEC3AD4: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECAD26), ref: 00007FF64EEC3B6C

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: f46bff268b9657942f7b2e4df2066148980f2a2b2eaeba0bb5018e9d15c16713
Instruction ID: fe3432738484976e6cae9e072464fce5cc6a57de4331190705fca3626f5e8cd6
Opcode Fuzzy Hash: f46bff268b9657942f7b2e4df2066148980f2a2b2eaeba0bb5018e9d15c16713
Instruction Fuzzy Hash: C7418F65B0CB8285EA14BB12E4002B97FA0FBAAFD4F485170EE5D47796CF7DD4558300

Function 00007FF64EEC3AD4 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64EEC9FE8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF64EEC3AFB,?,?,?,00007FF64EECAD26), ref: 00007FF64EEC9FF4

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECAD26), ref: 00007FF64EEC3B4D
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECAD26), ref: 00007FF64EEC3B6C

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorLastRelease
String ID:
API String ID: 1379261800-0
Opcode ID: b6c7c0d633a564d6684451f2e965e1e678ac283138d0ed472914fe622c8fdf85
Instruction ID: 04a845e81fc5c9c506c0920741aad9339ecdb4d6634b443a58ec03ac5024ad67
Opcode Fuzzy Hash: b6c7c0d633a564d6684451f2e965e1e678ac283138d0ed472914fe622c8fdf85
Instruction Fuzzy Hash: 8A21623260CA4682EB64BF10E04037D6BB0F7A4B88F500171EB4D86698DFBCD995C340

Function 00007FF64EEC3F94 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC6C67,?,?,?,?,?,?,?,?,?,?,00000000,00007FF64EEC6B35), ref: 00007FF64EEC3FB5
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC6C67,?,?,?,?,?,?,?,?,?,?,00000000,00007FF64EEC6B35), ref: 00007FF64EEC3FF4

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: deb08c1a9b696f3be48f9cb6279c0bdd98be1b2ff889c631f1d3928c3a90d6cf
Instruction ID: 5f4a4570adb058625bf66803434840711d04628e69aa4044d576518b1d10c483
Opcode Fuzzy Hash: deb08c1a9b696f3be48f9cb6279c0bdd98be1b2ff889c631f1d3928c3a90d6cf
Instruction Fuzzy Hash: 7F014026B0DA8681EA11BF15E4407786BA0FF69BA0F5C9271EA2D477D4DF7DD451C300

Non-executed Functions

Function 00007FF64EEC26C0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF64EEC271E
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC273B
CoImpersonateClient.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC2760
GetApplicationUserModelIdFromToken.API-MS-WIN-APPMODEL-RUNTIME-L1-1-1 ref: 00007FF64EEC2795
CoRevertToSelf.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC27BA
CoGetCallContext.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC27DD
QueryFullProcessImageNameW.API-MS-WIN-CORE-PSAPI-L1-1-0 ref: 00007FF64EEC286C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF64EEC28DE

Strings

GetActivationFactory, xrefs: 00007FF64EEC855E, 00007FF64EEC861E
ActivateInstance, xrefs: 00007FF64EEC856A, 00007FF64EEC862A
ERROR, xrefs: 00007FF64EEC841C, 00007FF64EEC849C, 00007FF64EEC854D

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Once$ApplicationBufferCallClientCloseContextExecuteFromFullHandleImageImpersonateInitModelNameProcessQueryRevertSelfStringTokenUserWindows
String ID: ActivateInstance$ERROR$GetActivationFactory
API String ID: 2418767327-382788514
Opcode ID: 3d085c315d2330e0b0d2472606634b96ee0fbf77c5a6f2525d3ff3fca275303c
Instruction ID: 116c15eb0177b025023302f5ff14327e65e6402fc6bb08bb5fa45bede449099e
Opcode Fuzzy Hash: 3d085c315d2330e0b0d2472606634b96ee0fbf77c5a6f2525d3ff3fca275303c
Instruction Fuzzy Hash: 00D11B36B0CB42CAF710AB64E4806AD7BA4FB99758F904235EA4D83B59DFBCE545C700

Function 00007FF64EEC2940 Relevance: 27.4, APIs: 18, Instructions: 353
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC29A7
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC29BD
#153.COMBASE ref: 00007FF64EEC29F5
CoImpersonateClient.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC2B9D
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EEC2BCF
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EEC2BEB
CoRevertToSelf.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EEC2C02
InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF64EEC2C2A
AccessCheckByType.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EEC2CB0
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC2D0D
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC2D3B
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC2D4F
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC2D7B

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: StringWindows$Delete$OnceThread$#153AccessCheckClientCreateCurrentExecuteImpersonateInitOpenRevertSelfTokenType
String ID:
API String ID: 2298634945-0
Opcode ID: 905ccab0c48f81b5989ea0f1cb6033083a2aaee62740c1047354079afc711d9d
Instruction ID: 0686654d2a3a6d330e594ab0c5b477ceec71a45e2f84f460f1799165f5180baa
Opcode Fuzzy Hash: 905ccab0c48f81b5989ea0f1cb6033083a2aaee62740c1047354079afc711d9d
Instruction Fuzzy Hash: EFF16936B0CB82CAFB10BB65E4406AD7BA0FBA9794F104235EA4D93B65DF7DE4418704

Function 00007FF64EEC6470 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF64EEC648C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF64EEC64B0
RtlCaptureContext.NTDLL ref: 00007FF64EEC64B9
RtlLookupFunctionEntry.NTDLL ref: 00007FF64EEC64D3
RtlVirtualUnwind.NTDLL ref: 00007FF64EEC6514
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF64EEC6547
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF64EEC6568
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EEC6589
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EEC6594

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f94f21ead2ceb3be62a7d8e1d1e16f48b9d97544c8733c5bb34711c8e8d4b39a
Instruction ID: 885cb83ed84181a876f4988d70d29fa42b691da29352fc45054263e1dc15cb81
Opcode Fuzzy Hash: f94f21ead2ceb3be62a7d8e1d1e16f48b9d97544c8733c5bb34711c8e8d4b39a
Instruction Fuzzy Hash: A8317276709B82C6EB60AF60E8407EE3764FB94B48F444439EA4D87B99EF78D548C700

Function 00007FF64EECF60C Relevance: 7.6, APIs: 5, Instructions: 91memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF64EECF661
GetSystemInfo.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF64EECF67E
SetThreadStackGuarantee.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECF693
VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF64EECF6F8
VirtualProtect.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF64EECF718

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: e0e5fa3caaed48ca95fe91ce30dfae3f8c3964ddc5e94379271a4387380ac3b6
Instruction ID: 94fae5a47341aa30bdd083356a48c13dd22110a9977b08149ec0bf5db2ea666f
Opcode Fuzzy Hash: e0e5fa3caaed48ca95fe91ce30dfae3f8c3964ddc5e94379271a4387380ac3b6
Instruction Fuzzy Hash: 21316F36718A82CAEB10EF21E8507E83BE5FB59B88F485135EA0E87754DFB8E545C700

Function 00007FF64EEC5E68 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,00007FF64EEC5F9D,?,?,?,?,?,?,00007FF64EEC127B), ref: 00007FF64EEC5E71
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF64EEC5F9D,?,?,?,?,?,?,00007FF64EEC127B), ref: 00007FF64EEC5E89
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF64EEC5F9D,?,?,?,?,?,?,00007FF64EEC127B), ref: 00007FF64EEC5E92
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF64EEC5F9D,?,?,?,?,?,?,00007FF64EEC127B), ref: 00007FF64EEC5EAB

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: b99d5c8af2301ba828a70b6bdf3be2bb36a2210073049334444f13574ba8f8ea
Instruction ID: 79f9c73d7b63c634d59a658f72ece63951a1b653c9fb6af3770185f32d385647
Opcode Fuzzy Hash: b99d5c8af2301ba828a70b6bdf3be2bb36a2210073049334444f13574ba8f8ea
Instruction Fuzzy Hash: 9EF0E568F0C6078AF7143B71B8156752664BFF5B55F441534F91EC5292DFFE6485C200

Function 00007FF64EECEF7C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF64EECEFC9

Strings

(%S):(%S):(%d) , xrefs: 00007FF64EECF09A
Heap, xrefs: 00007FF64EECF2AA

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: DebuggerPresent
String ID: (%S):(%S):(%d) $Heap
API String ID: 1347740429-3299253117
Opcode ID: 15e4b1ebb7461e4b991496a1aa5a6b2fb7fff6d12c2960c1921c633e75f12054
Instruction ID: 489f5ea6233fc84e9221090ae7a138eaa87a64bf76eee0acd0f0aa04653ff689
Opcode Fuzzy Hash: 15e4b1ebb7461e4b991496a1aa5a6b2fb7fff6d12c2960c1921c633e75f12054
Instruction Fuzzy Hash: 99A15C26B0CA4385EB68BB61E8107B82BD4FF64798F544035F91E87BA9DEBCE441C740

Function 00007FF64EEC7470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF64EEC749B

Strings

NtQueryWnfStateData, xrefs: 00007FF64EEC7494

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: AddressProc
String ID: NtQueryWnfStateData
API String ID: 190572456-3685890079
Opcode ID: 15cf0db0ead2dfaae78878805870650b9523135ce89cf485b564fc3c991a47fe
Instruction ID: b66c4db1f87c7d450fb2767c83d7966c4a8ecbf0ffd282215489cdd00125afe8
Opcode Fuzzy Hash: 15cf0db0ead2dfaae78878805870650b9523135ce89cf485b564fc3c991a47fe
Instruction Fuzzy Hash: 91F06229B0DF4686EB10BB1AF400465AA91FFA9BD4F444231ED4D87764EEBCD4508B00

Function 00007FF64EECA014 Relevance: 2.5, APIs: 2, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1317747797472a79fe395459715ef81b1726784e11e9f95ac1da4c82d9799a
Instruction ID: 63ce08c8466c9e291695bfce86e54b89f2b3817d6ede5ef5badf727b039fdecd
Opcode Fuzzy Hash: 3e1317747797472a79fe395459715ef81b1726784e11e9f95ac1da4c82d9799a
Instruction Fuzzy Hash: D2111C26B0DA42C9EA24BF52E451178BB60FBA4FC0B485132EB9F87759CF79E4519304

Function 00007FF64EEC7594 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f38db50dbd013c15691e5ee87d9c7cbb41a20b20831d27c9b0bcdd0b79d70c
Instruction ID: ed494bfe1ce74904649878b4f544b1db77de101141f8481a8b4527bdf8b35684
Opcode Fuzzy Hash: 89f38db50dbd013c15691e5ee87d9c7cbb41a20b20831d27c9b0bcdd0b79d70c
Instruction Fuzzy Hash: 7241A173F296118EF350EBB9D8457AD3AF1BB55349F148039EE09D6A88DFBC94418B40

Function 00007FF64EEC6668 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9388206ab06eae6549325f9595ecf8226ceaac0c2fabe80f9dfe2727cefdb58e
Instruction ID: 0c64151acb7e7a84c589f59972ad751bcf0f37c0a58197336bf6b0dff19c4edf
Opcode Fuzzy Hash: 9388206ab06eae6549325f9595ecf8226ceaac0c2fabe80f9dfe2727cefdb58e
Instruction Fuzzy Hash: AFA00269A0CD03D1E644BF50F8544312734FBB4740B450931F05DC10A1DFBDA400C301

Function 00007FF64EECB0BC Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF64EECB19D
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECB21F

Strings

[%hs], xrefs: 00007FF64EECB2E5
Msg:[%ws] , xrefs: 00007FF64EECB28A
CallContext:[%hs] , xrefs: 00007FF64EECB2A5
%hs!%p: , xrefs: 00007FF64EECB1E7
[%hs(%hs)], xrefs: 00007FF64EECB2CC
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF64EECB238
Exception, xrefs: 00007FF64EECB168
%hs(%u)\%hs!%p: , xrefs: 00007FF64EECB1C9
FailFast, xrefs: 00007FF64EECB14D
ReturnHr, xrefs: 00007FF64EECB15F
LogHr, xrefs: 00007FF64EECB156
, xrefs: 00007FF64EECB26F
(caller: %p) , xrefs: 00007FF64EECB207

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: bb7ef0f976bdc84ac4fed5ca1c1db839bb1912d2077f87e76b0afc6e05c7d31c
Instruction ID: e44bc369c17f5513e0631446301baaecc18b4e8ff8d4f1ee2b92844bf9f72d9f
Opcode Fuzzy Hash: bb7ef0f976bdc84ac4fed5ca1c1db839bb1912d2077f87e76b0afc6e05c7d31c
Instruction Fuzzy Hash: 62618D35B0CB8282EA29FF51A8009B967A4FFA9784F404536FA4D83B95DF7CE5608700

Function 00007FF64EECBB60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64EECB6BC: InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00007FF64EECBB93), ref: 00007FF64EECB6D4

LsaLookupOpenLocalPolicy.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0 ref: 00007FF64EECBBC3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EECBBE3
LsaLookupFreeMemory.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0 ref: 00007FF64EECBBF4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EECBC02
LsaLookupGetDomainInfo.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0 ref: 00007FF64EECBC1B
CreateWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EECBC5A
RtlEqualSid.NTDLL ref: 00007FF64EECBC8A
LsaLookupFreeMemory.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0 ref: 00007FF64EECBCA8
LsaLookupClose.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0 ref: 00007FF64EECBCBD

Strings

onecore\com\combase\runtimebroker\exe\runtimebroker.cpp, xrefs: 00007FF64EECBC34, 00007FF64EECBC6E

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Lookup$ErrorFreeLastMemoryOnce$CloseCreateDomainEqualExecuteInfoInitKnownLocalOpenPolicyWell
String ID: onecore\com\combase\runtimebroker\exe\runtimebroker.cpp
API String ID: 2178992486-1046603397
Opcode ID: 16f694b7c587e33cd115ef84b23960b5e79c59e81de7df628830f99a31141214
Instruction ID: a093bbf8c5dfd4b7fc400f4113193f25841717da87bcc348976c5d2e9837d752
Opcode Fuzzy Hash: 16f694b7c587e33cd115ef84b23960b5e79c59e81de7df628830f99a31141214
Instruction Fuzzy Hash: 0C414926B08B428AEB00AFA1D4007BC6B61FBA9B89F459531EE0D97644DFB9E445C340

Function 00007FF64EECA734 Relevance: 16.6, APIs: 11, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

MapGenericMask.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EECA785
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECA797
GetKernelObjectSecurity.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EECA7B8
CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EECA7C7
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECA7DE
GetKernelObjectSecurity.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EECA7FF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EECA80F
RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF64EECA835
AccessCheck.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF64EECA877
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EECA887
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EECA8B6

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Error$CurrentKernelLastObjectProcessSecurityTask$AccessAllocCheckFreeGenericMaskOriginate
String ID:
API String ID: 2648494228-0
Opcode ID: f2a0d9cbb5b4286209861aef11bf62254016d01634515dee56654fb34c1de0d1
Instruction ID: 6bbf06b8f3760b1bfcc55fa21c80d956aad492ba0bcbec4eaee24372dc527599
Opcode Fuzzy Hash: f2a0d9cbb5b4286209861aef11bf62254016d01634515dee56654fb34c1de0d1
Instruction Fuzzy Hash: FC514C37B08A42CBE710AB61E4146BD7BA1FB99B49F458235EE4E87B54DF78D109C700

Function 00007FF64EECB910 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF64EEC92B5), ref: 00007FF64EECB922

Strings

wil, xrefs: 00007FF64EECB93D, 00007FF64EECBA6D

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: aa878ce9232380ecc258523c0c66fccec9adce65c0040defde86804a8322f0bf
Instruction ID: 36179955672d6b5f2f60710b4a008da429ceb11623ba6ecafe4e2f79460aa8ee
Opcode Fuzzy Hash: aa878ce9232380ecc258523c0c66fccec9adce65c0040defde86804a8322f0bf
Instruction Fuzzy Hash: 1B417E21B0C68387F320BB11E40477E7AA1FFA5781F649631E95EC6AA4CFBDD8458701

Function 00007FF64EEC4270 Relevance: 15.1, APIs: 10, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,0000000C,?,00007FF64EEC4038,?,?,00007FF64EEC8D49,00007FF64EECC54E,?,?,?,?,?,00007FF64EEC8D49), ref: 00007FF64EEC42CD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,0000000C,?,00007FF64EEC4038,?,?,00007FF64EEC8D49,00007FF64EECC54E,?,?,?,?,?,00007FF64EEC8D49), ref: 00007FF64EEC42E1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,0000000C,?,00007FF64EEC4038,?,?,00007FF64EEC8D49,00007FF64EECC54E,?,?,?,?,?,00007FF64EEC8D49), ref: 00007FF64EEC42FC

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Heap$Process$Alloc
String ID:
API String ID: 651230671-0
Opcode ID: 741cb74d1ca26d461ce3e1a4ee28967abacef77ca6491e2e37201321a8afc90f
Instruction ID: 8aa51de55c607349708d3a9e049b936e2036892e4a65f796c42b96c2efcc3b2a
Opcode Fuzzy Hash: 741cb74d1ca26d461ce3e1a4ee28967abacef77ca6491e2e37201321a8afc90f
Instruction Fuzzy Hash: 9A419D26B0DA42C6EA00BF56E5041BDABA0FFA9B95B088130EF5D83755DF7DE0628700

Function 00007FF64EEC25A0 Relevance: 12.1, APIs: 8, Instructions: 115COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC25FF
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC261A
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF64EEC2655
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC2689
RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF64EEC8383

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: StringWindows$Delete$ActivationCreateErrorFactoryOriginate
String ID:
API String ID: 1130540099-0
Opcode ID: 0e1c1bbde761e005811a8302011d86a26311fccce2f7424362cc06ac131b1f25
Instruction ID: 56a740abed7202bedccd8421486d60b35d82ac0cd014ec7acf39fa709c8a2ad6
Opcode Fuzzy Hash: 0e1c1bbde761e005811a8302011d86a26311fccce2f7424362cc06ac131b1f25
Instruction Fuzzy Hash: D7517F26B0CB8386E700BB25B500679ABA0FBAD794F509235FE4E82665DFBDE4418700

Function 00007FF64EEC1170 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC11CD
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC11E8
RoActivateInstance.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF64EEC1220
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF64EEC1258
RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF64EEC8283

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: StringWindows$Delete$ActivateCreateErrorInstanceOriginate
String ID:
API String ID: 3245081336-0
Opcode ID: 21e60a127233947812c7fb1cfbad7e22973c352145760b60870a6a9facd8b6b8
Instruction ID: e4932417fa06d03de519f8fcb2cd6532a8c0584da49df0aa1892a33853f3cc71
Opcode Fuzzy Hash: 21e60a127233947812c7fb1cfbad7e22973c352145760b60870a6a9facd8b6b8
Instruction Fuzzy Hash: 66515D25B0CB87C7E710BB24E5406B9ABA0FBA9750F109331FA9D82769DFBDE4459700

Function 00007FF64EEC3600 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

RtlIsMultiSessionSku.NTDLL ref: 00007FF64EEC3630

Strings

onecore\com\combase\runtimebroker\exe\runtimebroker.cpp, xrefs: 00007FF64EEC8991, 00007FF64EEC8AD4, 00007FF64EEC8B6B
Windows.System.User, xrefs: 00007FF64EEC89E2

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: MultiSession
String ID: Windows.System.User$onecore\com\combase\runtimebroker\exe\runtimebroker.cpp
API String ID: 1909026881-2095041590
Opcode ID: e8acd4fab34d1bab0fbf8186052c28a5cbe856b33871e8decdf3d09a8537b8b1
Instruction ID: c49b827a7081bab886793222d47f7668de2efb2546fe91176e1084b36916941e
Opcode Fuzzy Hash: e8acd4fab34d1bab0fbf8186052c28a5cbe856b33871e8decdf3d09a8537b8b1
Instruction Fuzzy Hash: F6712F26B0CB46C5FB10FBA5D9505BD2BA0BFA8B88B144535EE0D97B64DF78E446C304

Function 00007FF64EECC22C Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC24D
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC26D
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC28D
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC29C
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC2F4
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF64EEC9909), ref: 00007FF64EECC319

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
String ID:
API String ID: 3221859647-0
Opcode ID: 2d2040665af4a4f281ccd8ae2bcf3059a02c1352d54abbf191629f6e1790d5df
Instruction ID: 077035d64f176dbf42f00126c43fc5e57a38c3e52262e293d9e49271eb15d12b
Opcode Fuzzy Hash: 2d2040665af4a4f281ccd8ae2bcf3059a02c1352d54abbf191629f6e1790d5df
Instruction Fuzzy Hash: D8317F26B0CE8286EA15BF52A500179ABA0FBA9FD1B499170EE4E47B14DF7CD585C700

Function 00007FF64EECA65C Relevance: 9.1, APIs: 6, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CoImpersonateClient.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EECA677
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECA689
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECA6A6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EECA6B6
CoRevertToSelf.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF64EECA6D1
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF64EECA712

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Thread$ClientCloseCurrentErrorHandleImpersonateLastOpenRevertSelfToken
String ID:
API String ID: 1175436245-0
Opcode ID: be395eaf02807ca0d5cd71520071d9415fb31a5c34e52a4edf894477fb9124c6
Instruction ID: b950d12591c105dc9da9da2297ba47caefc321b2e6220a9f198672fe63b5f82d
Opcode Fuzzy Hash: be395eaf02807ca0d5cd71520071d9415fb31a5c34e52a4edf894477fb9124c6
Instruction Fuzzy Hash: D1214A25B1CB8387E7407B61E4447B9BEA0FB9AB81F449234FA8EC2741DFACD4849700

Function 00007FF64EEC7B20 Relevance: 9.0, APIs: 7, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7B5E

Part of subcall function 00007FF64EEC7470: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF64EEC749B

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7BFD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7C11
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7C1D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7C31
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7DE5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF64EEC704C), ref: 00007FF64EEC7DF9

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocProcmemset
String ID:
API String ID: 2515388404-0
Opcode ID: f32ca9d152b81742a32523ce705242412f49e242848a67d0c0d14747b15cdaf7
Instruction ID: f4e4092e9acd63e8e7ad9f2bee11159ab24108ffb6cd0f2aef21d40945d3f4be
Opcode Fuzzy Hash: f32ca9d152b81742a32523ce705242412f49e242848a67d0c0d14747b15cdaf7
Instruction Fuzzy Hash: 1D916D36B18B528AEB20EF66E4005B97BB0FB69B88B448535EE8E83754DF78D154C710

Function 00007FF64EEC4804 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC48E0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF64EEC48F8

Strings

_p0, xrefs: 00007FF64EEC489A
wil, xrefs: 00007FF64EEC928B, 00007FF64EEC92C2, 00007FF64EEC9397

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: a5cd399a27205ceef1c2beec119a410a58b8f779cab6bd0e0e58c142d57e1180
Instruction ID: 254933e809c57bf65b140a7232187fd02375471ff0e7477aea9c5895493cd95c
Opcode Fuzzy Hash: a5cd399a27205ceef1c2beec119a410a58b8f779cab6bd0e0e58c142d57e1180
Instruction Fuzzy Hash: 3D71D162B1DA8285EF21FF5994106B92BA0FFA8B80F444532FA4E87795DFBDE505C300

Function 00007FF64EECE3A8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF64EECE3F5
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF64EECE4AB

Strings

Failed to handle format string %s, xrefs: 00007FF64EECE572
onecore\com\combase\common\core\perappruntimebroker.cpp, xrefs: 00007FF64EECE3AF
CheckPerAppBrokerInstancingRegistryValue, xrefs: 00007FF64EECE3AD

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: memsetwcsncmp
String ID: CheckPerAppBrokerInstancingRegistryValue$Failed to handle format string %s$onecore\com\combase\common\core\perappruntimebroker.cpp
API String ID: 1181335886-259689217
Opcode ID: 5690f14769ec5ce86af37efc14a6e33ec8f84abfd0566ea1fdf18aafda7f84db
Instruction ID: 2a361da62f6d81b935cf660ca5b0b141591b9515d9d997997735b5f645486610
Opcode Fuzzy Hash: 5690f14769ec5ce86af37efc14a6e33ec8f84abfd0566ea1fdf18aafda7f84db
Instruction Fuzzy Hash: F941B522B1CA4281E720BF55E8045BA77A5FBA4794F845231FE9E877A4EFBCD445C300

Function 00007FF64EECA4C4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF64EECA4F6
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EECA53E

Strings

Local\SM0:%d:%d:%hs, xrefs: 00007FF64EECA507
wil, xrefs: 00007FF64EECA59E, 00007FF64EECA631
x, xrefs: 00007FF64EECA511

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: CreateCurrentMutexProcess
String ID: Local\SM0:%d:%d:%hs$wil$x
API String ID: 3937467467-630742106
Opcode ID: 719f68025b03c92c310b1719f4d30fdc95cb7cfc46a067599a3f77b2d9a280db
Instruction ID: 5fa36f9b8b729bf3840b65dd406419f28be93f2d023e986572c60e880141f377
Opcode Fuzzy Hash: 719f68025b03c92c310b1719f4d30fdc95cb7cfc46a067599a3f77b2d9a280db
Instruction Fuzzy Hash: D8415032B1CA8286EB11BB55E4407FA6BA0FBA8784F449031FA8EC7795DEBCD545C700

Function 00007FF64EEC4A30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC4B43
CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF64EEC4BE9

Strings

_p0, xrefs: 00007FF64EEC4AC9
wil, xrefs: 00007FF64EEC9486, 00007FF64EEC94C1

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: CreateSemaphore
String ID: _p0$wil
API String ID: 1078844751-1814513734
Opcode ID: 3ec56fafa09b94896648085c11ab3e16d0b800b57fe4b7839010c4953298520c
Instruction ID: bcffbb14cb5b94e81ef5b8362b8e60790157d68175823701a1a244ef23b2cb3b
Opcode Fuzzy Hash: 3ec56fafa09b94896648085c11ab3e16d0b800b57fe4b7839010c4953298520c
Instruction Fuzzy Hash: 8661C361B1C68285EB61BF6194447BA6A90FFA8B80F544135FB1DC7798EFBDE404C700

Function 00007FF64EECD420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF64EECD43F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF64EECD455

Strings

kernelbase.dll, xrefs: 00007FF64EECD435
RaiseFailFastException, xrefs: 00007FF64EECD44E

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: b4047b3d9d79572b1f8a17285da983a8aff476f7ab7082397e3ebcf01806d9c2
Instruction ID: 27659265a4beb10f3cd6269c3764b8f8cfc0214c0255bec3c52e35a937175cb1
Opcode Fuzzy Hash: b4047b3d9d79572b1f8a17285da983a8aff476f7ab7082397e3ebcf01806d9c2
Instruction Fuzzy Hash: ADF0D02571CB9282EB046B02F544479AA60FB9DBD0B44A535EA4E57768DF7DD481C700

Function 00007FF64EEC2000 Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,00000014,?,?,0000001C,00007FF64EEC1F33), ref: 00007FF64EEC2096

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: a227adf3986fb5740f1334595c41e9aee6258706b3285243a2f960f0cea880d3
Instruction ID: 0ba101032ff3261916cd660a5ae3776c72be1fdcb13af39c61c441f2c6813987
Opcode Fuzzy Hash: a227adf3986fb5740f1334595c41e9aee6258706b3285243a2f960f0cea880d3
Instruction Fuzzy Hash: 0F918F62F18A918AEB00FF6194400FD3B70FB69B88B105126FE4E97B89DFB9D541C340

Function 00007FF64EEC4210 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF64EEC970A,?,?,?,00007FF64EEC1E25), ref: 00007FF64EEC9138
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF64EEC970A,?,?,?,00007FF64EEC1E25), ref: 00007FF64EEC915E
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF64EEC970A,?,?,?,00007FF64EEC1E25), ref: 00007FF64EEC916D
_o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF64EEC970A,?,?,?,00007FF64EEC1E25), ref: 00007FF64EEC917F

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: _o__errno$_o__invalid_parameter_noinfomemset
String ID:
API String ID: 1330570140-0
Opcode ID: 7ed881f3b96514f9a5b7ec82e0e572938635dce3114c8860b36ede808ead0b47
Instruction ID: 11d285aeceb278c270d50c0130a4aca83ae1d0d8cdfaa0cf19e358d56f67e008
Opcode Fuzzy Hash: 7ed881f3b96514f9a5b7ec82e0e572938635dce3114c8860b36ede808ead0b47
Instruction Fuzzy Hash: E6019220F0C64281FB147F91A5092BA6E90BF68BD0F499530FA1D8778ACEADE4414301

Function 00007FF64EECD214 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECD2D8,?,?,?,?,?,?,?,?,00007FF64EEC5AF1), ref: 00007FF64EECD235
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECD2D8,?,?,?,?,?,?,?,?,00007FF64EEC5AF1), ref: 00007FF64EECD244
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECD2D8,?,?,?,?,?,?,?,?,00007FF64EEC5AF1), ref: 00007FF64EECD27B
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EECD2D8,?,?,?,?,?,?,?,?,00007FF64EEC5AF1), ref: 00007FF64EECD28F

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: d295c3e35a24f548409453d96cd0de7d8d4a095642c44d4602c7f2e097f9bd9b
Instruction ID: 64f67c70c2a8dcdd87d450ca20d1b0259ebfc86718a90ff2d90ed9e3cd01302f
Opcode Fuzzy Hash: d295c3e35a24f548409453d96cd0de7d8d4a095642c44d4602c7f2e097f9bd9b
Instruction Fuzzy Hash: BD015276B1CB8282EE18BF51A544578AB60FBAEFC17199270EE4E43714DF7DD4918700

Function 00007FF64EEC3EE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC8C49,?,?,?,?,?,00007FF64EEC38A0), ref: 00007FF64EEC3F08
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF64EEC8C49,?,?,?,?,?,00007FF64EEC38A0), ref: 00007FF64EEC3F64

Strings

[), xrefs: 00007FF64EEC3F34

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: [)
API String ID: 17069307-4291594351
Opcode ID: d710c684ec76256ea2a1128f63be0e6e2c8dab3fd5af79bc3c0905aa0bc11db4
Instruction ID: 91e8746d411dc0b8527698df3f9b7a16efbe53d26838bccb578c1334038fea50
Opcode Fuzzy Hash: d710c684ec76256ea2a1128f63be0e6e2c8dab3fd5af79bc3c0905aa0bc11db4
Instruction Fuzzy Hash: B9117935A0DB8686EB60BF21E4402B87BB0FB59B84F480574EA4E87794CFBDE855C700

Function 00007FF64EEC1EF0 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: e69db0821044a7a6169fef2bc5046518f2427ef212224ae0726b2b5db3d53e53
Instruction ID: 59539608b4d3074f53a9785bd3324a2b6166bb970e4c8744cf0f9e549fe809dc
Opcode Fuzzy Hash: e69db0821044a7a6169fef2bc5046518f2427ef212224ae0726b2b5db3d53e53
Instruction Fuzzy Hash: E9316236A0CB8186D720BF22A0006A9ABA5FB9ABC4F185235FE9D4375ACF7DD045C700

Function 00007FF64EECA99C Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000078,00007FF64EECA04F,?,?,?,00007FF64EECC703,?,?,?,?,?,00007FF64EEC5AAD), ref: 00007FF64EECA9DA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000078,00007FF64EECA04F,?,?,?,00007FF64EECC703,?,?,?,?,?,00007FF64EEC5AAD), ref: 00007FF64EECA9EE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000078,00007FF64EECA04F,?,?,?,00007FF64EECC703,?,?,?,?,?,00007FF64EEC5AAD), ref: 00007FF64EECAA12
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000078,00007FF64EECA04F,?,?,?,00007FF64EECC703,?,?,?,?,?,00007FF64EEC5AAD), ref: 00007FF64EECAA26

Memory Dump Source

Source File: 00000000.00000002.1654005556.00007FF64EEC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64EEC0000, based on PE: true

Associated: 00000000.00000002.1653992847.00007FF64EEC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654020972.00007FF64EED1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654033413.00007FF64EED7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654045733.00007FF64EED8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff64eec0000_RuntimeBroker.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ade627b6d864314d11873174303ac8568b2ea4ccad8a1765aeb89a088a835f77
Instruction ID: a57e533f050675110be6ed018905ac947077b986c12b85738d203c2032550474
Opcode Fuzzy Hash: ade627b6d864314d11873174303ac8568b2ea4ccad8a1765aeb89a088a835f77
Instruction Fuzzy Hash: C111373A608B81C6DB10AF52F4400A9BBB4F799F80B4D9121DB8E53B25CF39E496C700

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RuntimeBroker.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RuntimeBroker.exePID: 7416, Parent PID: 2580

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Windows Analysis Report
RuntimeBroker.exe

Function 00007FF64EEC32C0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 214
registryCOMMON

Function 00007FF64EEC3040 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 149
comCOMMON

Function 00007FF64EEC3BB0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99
registryCOMMON

Function 00007FF64EEC5C90 Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Function 00007FF64EEC37C0 Relevance: 7.5, APIs: 5, Instructions: 34
memoryCOMMON

Function 00007FF64EEC4660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
synchronizationCOMMON

Function 00007FF64EEC39F0 Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Function 00007FF64EEC3AD4 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Function 00007FF64EEC3F94 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Function 00007FF64EEC26C0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270
COMMON

Function 00007FF64EEC2940 Relevance: 27.4, APIs: 18, Instructions: 353
threadCOMMON

Function 00007FF64EECB0BC Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153
windowthreadCOMMON