Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2Mi3lKoJfj.exe

Overview

General Information

Sample name:2Mi3lKoJfj.exe
renamed because original name is a hash value
Original sample name:b94af11cca65c557d23559e978a49d18.exe
Analysis ID:1583601
MD5:b94af11cca65c557d23559e978a49d18
SHA1:0c3436d0c5df8e2e39bf4869bbe4413ca8d594b7
SHA256:f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2Mi3lKoJfj.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\2Mi3lKoJfj.exe" MD5: B94AF11CCA65C557D23559E978A49D18)
    • schtasks.exe (PID: 7328 cmdline: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RuntimeBroker.exe (PID: 7420 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" MD5: B94AF11CCA65C557D23559E978A49D18)
      • schtasks.exe (PID: 7472 cmdline: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • shutdown.exe (PID: 7672 cmdline: "C:\Windows\System32\shutdown.exe" /s /t 0 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
        • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • shutdown.exe (PID: 8028 cmdline: "C:\Windows\System32\shutdown.exe" /s /t 0 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RuntimeBroker.exe (PID: 7448 cmdline: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe MD5: B94AF11CCA65C557D23559E978A49D18)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "194.26.192.167:2768;", "SubDirectory": "RuntimeBroker", "InstallName": "RuntimeBroker.exe", "MutexName": "859d5f90-e2d0-4b2d-ba9f-5371df032ec2", "StartupKey": "RuntimeBroker", "LogDirectoryName": "Logs", "ServerSignature": "HLslqQCNhdORmt9FCkAoRZrPsL/QZ+X7L5BYCTwyjm+j0iRcqsXqSMBfjKaA0Z/VsXvYHImcNHtGPMZtFagEfGGsJYPbzXbkf3bmRGyrX2KjSu21OB4r/BrzkxWemrgblEj7tj3Y9suDtBtkRspLl3wICM1YJI4WF5dGSHgO3O28feawR8uCUuw8s95M470IepEqdwNbtYXzdtXfjNj6zQg8Eo0irBdcUB9eNuRVK8DeoMeer8ueo9HviqpSea31UwRMcLWq7EFFBLPAXSqpqg3G+qxE14o4wmdEHOwlFynUpEtiRkrdeIX89V+JIeue321yPIIt1PrQHqGp87c7BsOkaBTYZg7Pk104uKe/zWShInSWuvv0cc04ndks+SknWEjAJFoe6kGaTnEaa5bv8QiJ91McGOFEPJQhMyFnBlWiVeMEyro7LwGxg9QugfOmvOH3jNEb+EP4p+nNm/ywWgBWsSNTfrUyiBDGFNMqBG3Q5ObAvUHmJV/q5GxnJrgFN2wAL3CHP71RESbg8bTr8aMvv7wG5ih8ORKB8rrw41KPbosFIjjj1C/KKddXMW5E3K15+yZFqb7p/oeFiWJit3g0ETP7WskoSWzLqRAOV9A4tVX+LgEgv4pSmQE+x85dt80GcFPVHEUTTtYx+fCXD9Ux5n8b2GnSgBxQHYzhrLw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANsXKsVBNY84Mxn9yL1q+zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIyMjIxNDAwMloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApZBonJM7WYHmpm3qdrgPzvZzjN2KhDm7b6/Ed/STVeygNnLFcWZRg3SlTelP9JyCVSduUTu3rnUGjKv6Yy93iBREBOLUjz//kG9XFcu1bC7kspcUZsXwWvh4oTpK5TYTvNv+S33iVxkTFF1X2irKFrw1JqX+iTC8Gs7kzh6lD1oBzg8dCxiq1ztmOsvY4KF0/AeOr/1lVNT43QD+Mz0YgLOrAP88SIvZ6uSEKRpDJGHWMrDdvICjhDrH4G7sdT1lJyZfOqWKj3LjZfL9hKh1PZYRKlyoH764Y7J5LqqyyrBlr36kLdNoEYCHvywePknU5CS5024n73ozNQBIN1uf/gUjBOTbg6QMZLpN0TwI0TA+z2uEejwDvRZLi+nHdtsiIGfGjaIWANfH2G+u1IZ71cw7dpvW1FRUXnwjVGqUu3C/FYWpRTQLd9J2mYVp2sc6ODR1jh+vnhkaCB6cCSyOI36ciDPGGad5j9asNSucHqLg0WgkVSyUkxNlBtPgINBoIjsd/SN9XDxPiAue4JkXJoku1wP+C0XCIdGuDfMXpj0ZtlUU3FNd5GcbE9lBlggv3F5B7NfyfloPtD1p/esufaH9p0H1pmItCQ+OaIMolSbOeuLFnttPKEJKiVCgoCiX/Af4sla10/O6BsxLDxX38y0KVj0cX7e/3jJRxp1V9RcCAwEAAaMyMDAwHQYDVR0OBBYEFEX38BPzk+UmcA6SV5MxFCubg1rAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACuFs22c0aieLDzZUhcWB0xaLJdtSG9Ad4gh69F1m+3OhzTOSYrjY5xFVy/0pRfYAuMoxuPD74VdYDBa0epCfT1qFM5FfQ07OXtxzoNuuVTjjkB+Mzl6Als+9B+QptwvLw4JGJQPDuge6sShs18izP0wFzpKpFnC4GUTY47DiW3uOdYjQgYbMatcNGramkemH1oNRkrHy494GXKZp5I1JlwCgeY630ylli4j31KQgRZPge8QwAzzkLZDiS320GuVb2D6ElTvCLOTE8PungImR9VB3GfZvG6ATppnW855+og/emxPhwmoblcSbXLDzWykwyP0VVr0o2uY+qj7FuVER/XURMdfp36DMRJua4vPfvcBAvxCQvwKT79tcW3E0y0qkM47gcjZ1hVHOvDbIwWo849RZcq7hxHaQ0GHcUFILob3IjG5r34debZJm/uJ4wJ4oss6sD1FTDej8LfmkzYfxVxVAMUtRo+OyxOhWXGjIrcH3LOQoJkLs3hYrc62oQEn17FXvEgetwp4SaiQIPUALl5hyfAi1PkVvCbRb2rup5lc/ySh+1R0ax9LmW35h3M89ijXj18fcT6Hu8ToOVeS6JoyIZDs3PlU/acwwnwyOl4TYnc4nf4XJiRrByNCfN3/WlXLVr9oLB0sP32pStliqjSR7d9lWxxiSLfW1G1Qeiyn"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2Mi3lKoJfj.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    2Mi3lKoJfj.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      2Mi3lKoJfj.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ee9d:$x1: Quasar.Common.Messages
      • 0x29f1c6:$x1: Quasar.Common.Messages
      • 0x2ab83e:$x4: Uninstalling... good bye :-(
      • 0x2ad033:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      2Mi3lKoJfj.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadf0:$f1: FileZilla\recentservers.xml
      • 0x2aae30:$f2: FileZilla\sitemanager.xml
      • 0x2aae72:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab0be:$b1: Chrome\User Data\
      • 0x2ab114:$b1: Chrome\User Data\
      • 0x2ab3ec:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab640:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6fa:$b5: YandexBrowser\User Data\
      • 0x2ab768:$b5: YandexBrowser\User Data\
      • 0x2ab43c:$s4: logins.json
      • 0x2ab172:$a1: username_value
      • 0x2ab190:$a2: password_value
      • 0x2ab47c:$a3: encryptedUsername
      • 0x2fd3b0:$a3: encryptedUsername
      • 0x2ab4a0:$a4: encryptedPassword
      • 0x2fd3ce:$a4: encryptedPassword
      • 0x2fd34c:$a5: httpRealm
      2Mi3lKoJfj.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab928:$s3: Process already elevated.
      • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c58:$s5: GetKeyloggerLogsDirectory
      • 0x29e925:$s5: GetKeyloggerLogsDirectory
      • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28ee9d:$x1: Quasar.Common.Messages
          • 0x29f1c6:$x1: Quasar.Common.Messages
          • 0x2ab83e:$x4: Uninstalling... good bye :-(
          • 0x2ad033:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadf0:$f1: FileZilla\recentservers.xml
          • 0x2aae30:$f2: FileZilla\sitemanager.xml
          • 0x2aae72:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab0be:$b1: Chrome\User Data\
          • 0x2ab114:$b1: Chrome\User Data\
          • 0x2ab3ec:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab640:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6fa:$b5: YandexBrowser\User Data\
          • 0x2ab768:$b5: YandexBrowser\User Data\
          • 0x2ab43c:$s4: logins.json
          • 0x2ab172:$a1: username_value
          • 0x2ab190:$a2: password_value
          • 0x2ab47c:$a3: encryptedUsername
          • 0x2fd3b0:$a3: encryptedUsername
          • 0x2ab4a0:$a4: encryptedPassword
          • 0x2fd3ce:$a4: encryptedPassword
          • 0x2fd34c:$a5: httpRealm
          C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab928:$s3: Process already elevated.
          • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c58:$s5: GetKeyloggerLogsDirectory
          • 0x29e925:$s5: GetKeyloggerLogsDirectory
          • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Process Memory Space: 2Mi3lKoJfj.exe PID: 7300JoeSecurity_QuasarYara detected Quasar RATJoe Security
                  Process Memory Space: RuntimeBroker.exe PID: 7420JoeSecurity_QuasarYara detected Quasar RATJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.2Mi3lKoJfj.exe.770000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.2Mi3lKoJfj.exe.770000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.2Mi3lKoJfj.exe.770000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28ee9d:$x1: Quasar.Common.Messages
                        • 0x29f1c6:$x1: Quasar.Common.Messages
                        • 0x2ab83e:$x4: Uninstalling... good bye :-(
                        • 0x2ad033:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.2Mi3lKoJfj.exe.770000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadf0:$f1: FileZilla\recentservers.xml
                        • 0x2aae30:$f2: FileZilla\sitemanager.xml
                        • 0x2aae72:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab0be:$b1: Chrome\User Data\
                        • 0x2ab114:$b1: Chrome\User Data\
                        • 0x2ab3ec:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4e8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab640:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6fa:$b5: YandexBrowser\User Data\
                        • 0x2ab768:$b5: YandexBrowser\User Data\
                        • 0x2ab43c:$s4: logins.json
                        • 0x2ab172:$a1: username_value
                        • 0x2ab190:$a2: password_value
                        • 0x2ab47c:$a3: encryptedUsername
                        • 0x2fd3b0:$a3: encryptedUsername
                        • 0x2ab4a0:$a4: encryptedPassword
                        • 0x2fd3ce:$a4: encryptedPassword
                        • 0x2fd34c:$a5: httpRealm
                        0.0.2Mi3lKoJfj.exe.770000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab928:$s3: Process already elevated.
                        • 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c58:$s5: GetKeyloggerLogsDirectory
                        • 0x29e925:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\2Mi3lKoJfj.exe, ProcessId: 7300, TargetFilename: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe", CommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, ParentCommandLine: "C:\Users\user\Desktop\2Mi3lKoJfj.exe", ParentImage: C:\Users\user\Desktop\2Mi3lKoJfj.exe, ParentProcessId: 7300, ParentProcessName: 2Mi3lKoJfj.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe", ProcessId: 7420, ProcessName: RuntimeBroker.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe", ParentImage: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, ParentProcessId: 7420, ParentProcessName: RuntimeBroker.exe, ProcessCommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, ProcessId: 7472, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Execution of Shutdown
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\shutdown.exe" /s /t 0, CommandLine: "C:\Windows\System32\shutdown.exe" /s /t 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\shutdown.exe, NewProcessName: C:\Windows\System32\shutdown.exe, OriginalFileName: C:\Windows\System32\shutdown.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe", ParentImage: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, ParentProcessId: 7420, ParentProcessName: RuntimeBroker.exe, ProcessCommandLine: "C:\Windows\System32\shutdown.exe" /s /t 0, ProcessId: 7672, ProcessName: shutdown.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2Mi3lKoJfj.exe", ParentImage: C:\Users\user\Desktop\2Mi3lKoJfj.exe, ParentProcessId: 7300, ParentProcessName: 2Mi3lKoJfj.exe, ProcessCommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, ProcessId: 7328, ProcessName: schtasks.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule system process
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2Mi3lKoJfj.exe", ParentImage: C:\Users\user\Desktop\2Mi3lKoJfj.exe, ParentProcessId: 7300, ParentProcessName: 2Mi3lKoJfj.exe, ProcessCommandLine: "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f, ProcessId: 7328, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-03T07:42:02.002202+010020355951Domain Observed Used for C2 Detected194.26.192.1672768192.168.2.449730TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-03T07:42:02.002202+010020276191Domain Observed Used for C2 Detected194.26.192.1672768192.168.2.449730TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 2Mi3lKoJfj.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: 2Mi3lKoJfj.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "194.26.192.167:2768;", "SubDirectory": "RuntimeBroker", "InstallName": "RuntimeBroker.exe", "MutexName": "859d5f90-e2d0-4b2d-ba9f-5371df032ec2", "StartupKey": "RuntimeBroker", "LogDirectoryName": "Logs", "ServerSignature": "HLslqQCNhdORmt9FCkAoRZrPsL/QZ+X7L5BYCTwyjm+j0iRcqsXqSMBfjKaA0Z/VsXvYHImcNHtGPMZtFagEfGGsJYPbzXbkf3bmRGyrX2KjSu21OB4r/BrzkxWemrgblEj7tj3Y9suDtBtkRspLl3wICM1YJI4WF5dGSHgO3O28feawR8uCUuw8s95M470IepEqdwNbtYXzdtXfjNj6zQg8Eo0irBdcUB9eNuRVK8DeoMeer8ueo9HviqpSea31UwRMcLWq7EFFBLPAXSqpqg3G+qxE14o4wmdEHOwlFynUpEtiRkrdeIX89V+JIeue321yPIIt1PrQHqGp87c7BsOkaBTYZg7Pk104uKe/zWShInSWuvv0cc04ndks+SknWEjAJFoe6kGaTnEaa5bv8QiJ91McGOFEPJQhMyFnBlWiVeMEyro7LwGxg9QugfOmvOH3jNEb+EP4p+nNm/ywWgBWsSNTfrUyiBDGFNMqBG3Q5ObAvUHmJV/q5GxnJrgFN2wAL3CHP71RESbg8bTr8aMvv7wG5ih8ORKB8rrw41KPbosFIjjj1C/KKddXMW5E3K15+yZFqb7p/oeFiWJit3g0ETP7WskoSWzLqRAOV9A4tVX+LgEgv4pSmQE+x85dt80GcFPVHEUTTtYx+fCXD9Ux5n8b2GnSgBxQHYzhrLw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANsXKsVBNY84Mxn9yL1q+zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIyMjIxNDAwMloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApZBonJM7WYHmpm3qdrgPzvZzjN2KhDm7b6/Ed/STVeygNnLFcWZRg3SlTelP9JyCVSduUTu3rnUGjKv6Yy93iBREBOLUjz//kG9XFcu1bC7kspcUZsXwWvh4oTpK5TYTvNv+S33iVxkTFF1X2irKFrw1JqX+iTC8Gs7kzh6lD1oBzg8dCxiq1ztmOsvY4KF0/AeOr/1lVNT43QD+Mz0YgLOrAP88SIvZ6uSEKRpDJGHWMrDdvICjhDrH4G7sdT1lJyZfOqWKj3LjZfL9hKh1PZYRKlyoH764Y7J5LqqyyrBlr36kLdNoEYCHvywePknU5CS5024n73ozNQBIN1uf/gUjBOTbg6QMZLpN0TwI0TA+z2uEejwDvRZLi+nHdtsiIGfGjaIWANfH2G+u1IZ71cw7dpvW1FRUXnwjVGqUu3C/FYWpRTQLd9J2mYVp2sc6ODR1jh+vnhkaCB6cCSyOI36ciDPGGad5j9asNSucHqLg0WgkVSyUkxNlBtPgINBoIjsd/SN9XDxPiAue4JkXJoku1wP+C0XCIdGuDfMXpj0ZtlUU3FNd5GcbE9lBlggv3F5B7NfyfloPtD1p/esufaH9p0H1pmItCQ+OaIMolSbOeuLFnttPKEJKiVCgoCiX/Af4sla10/O6BsxLDxX38y0KVj0cX7e/3jJRxp1V9RcCAwEAAaMyMDAwHQYDVR0OBBYEFEX38BPzk+UmcA6SV5MxFCubg1rAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACuFs22c0aieLDzZUhcWB0xaLJdtSG9Ad4gh69F1m+3OhzTOSYrjY5xFVy/0pRfYAuMoxuPD74VdYDBa0epCfT1qFM5FfQ07OXtxzoNuuVTjjkB+Mzl6Als+9B+QptwvLw4JGJQPDuge6sShs18izP0wFzpKpFnC4GUTY47DiW3uOdYjQgYbMatcNGramkemH1oNRkrHy494GXKZp5I1JlwCgeY630ylli4j31KQgRZPge8QwAzzkLZDiS320GuVb2D6ElTvCLOTE8PungImR9VB3GfZvG6ATppnW855+og/emxPhwmoblcSbXLDzWykwyP0VVr0o2uY+qj7FuVER/XURMdfp36DMRJua4vPfvcBAvxCQvwKT79tcW3E0y0qkM47gcjZ1hVHOvDbIwWo849RZcq7hxHaQ0GHcUFILob3IjG5r34debZJm/uJ4wJ4oss6sD1FTDej8LfmkzYfxVxVAMUtRo+OyxOhWXGjIrcH3LOQoJkLs3hYrc62oQEn17FXvEgetwp4SaiQIPUALl5hyfAi1PkVvCbRb2rup5lc/ySh+1R0ax9LmW35h3M89ijXj18fcT6Hu8ToOVeS6JoyIZDs3PlU/acwwnwyOl4TYnc4nf4XJiRrByNCfN3/WlXLVr9oLB0sP32pStliqjSR7d9lWxxiSLfW1G1Qeiyn"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeReversingLabs: Detection: 84%
                        Multi AV Scanner detection for submitted file
                        Source: 2Mi3lKoJfj.exeVirustotal: Detection: 84%Perma Link
                        Source: 2Mi3lKoJfj.exeReversingLabs: Detection: 84%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: 2Mi3lKoJfj.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 2Mi3lKoJfj.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: 2Mi3lKoJfj.exeJoe Sandbox ML: detected
                        Source: 2Mi3lKoJfj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: 2Mi3lKoJfj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 194.26.192.167:2768 -> 192.168.2.4:49730
                        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 194.26.192.167:2768 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 194.26.192.167
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 2Mi3lKoJfj.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 194.26.192.167:2768
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewASN Name: HEANETIE HEANETIE
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ipwho.is
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.167
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: RuntimeBroker.exe, 00000003.00000002.4106509469.000000001BA5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: RuntimeBroker.exe, 00000003.00000002.4099105126.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: RuntimeBroker.exe, 00000003.00000002.4099457933.000000000318F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: RuntimeBroker.exe, 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: 2Mi3lKoJfj.exe, 00000000.00000002.1667910888.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000003.00000002.4099457933.0000000002DE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: 2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: RuntimeBroker.exe, 00000003.00000002.4099457933.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: 2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: 2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: 2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: 2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: 2Mi3lKoJfj.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 2Mi3lKoJfj.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Uses shutdown.exe to shutdown or reboot the system
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA57C163_2_00007FFD9BA57C16
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA63AF93_2_00007FFD9BA63AF9
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA5EB293_2_00007FFD9BA5EB29
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA492713_2_00007FFD9BA49271
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA5CAD53_2_00007FFD9BA5CAD5
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA58A0F3_2_00007FFD9BA58A0F
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA4AFDD3_2_00007FFD9BA4AFDD
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA5B8513_2_00007FFD9BA5B851
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA49FD03_2_00007FFD9BA49FD0
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA68E303_2_00007FFD9BA68E30
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA455D63_2_00007FFD9BA455D6
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA4621F3_2_00007FFD9BA4621F
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BB623263_2_00007FFD9BB62326
                        Source: 2Mi3lKoJfj.exe, 00000000.00000000.1640994131.0000000000A90000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs 2Mi3lKoJfj.exe
                        Source: 2Mi3lKoJfj.exe, 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename" vs 2Mi3lKoJfj.exe
                        Source: 2Mi3lKoJfj.exeBinary or memory string: OriginalFilename" vs 2Mi3lKoJfj.exe
                        Source: 2Mi3lKoJfj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 2Mi3lKoJfj.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/5@1/2
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBrokerJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\859d5f90-e2d0-4b2d-ba9f-5371df032ec2
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
                        Source: 2Mi3lKoJfj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 2Mi3lKoJfj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 2Mi3lKoJfj.exeVirustotal: Detection: 84%
                        Source: 2Mi3lKoJfj.exeReversingLabs: Detection: 84%
                        Source: 2Mi3lKoJfj.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeFile read: C:\Users\user\Desktop\2Mi3lKoJfj.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\2Mi3lKoJfj.exe "C:\Users\user\Desktop\2Mi3lKoJfj.exe"
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0
                        Source: C:\Windows\System32\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0
                        Source: C:\Windows\System32\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0Jump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dllJump to behavior
                        Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\shutdown.exeSection loaded: shutdownext.dllJump to behavior
                        Source: C:\Windows\System32\shutdown.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: 2Mi3lKoJfj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 2Mi3lKoJfj.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: 2Mi3lKoJfj.exeStatic file information: File size 3266048 > 1048576
                        Source: 2Mi3lKoJfj.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
                        Source: 2Mi3lKoJfj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeCode function: 0_2_00007FFD9B7F00AD pushad ; iretd 0_2_00007FFD9B7F00C1
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9B6BEECF push ebx; ret 3_2_00007FFD9B6BEEDA
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9B6BEF45 push ebx; ret 3_2_00007FFD9B6BEF46
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9B6BD2A5 pushad ; iretd 3_2_00007FFD9B6BD2A6
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9B7D00AD pushad ; iretd 3_2_00007FFD9B7D00C1
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BA4336E push eax; ret 3_2_00007FFD9BA4340C
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9BB62326 push edx; retf 5F20h3_2_00007FFD9BB65A3B
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 4_2_00007FFD9B7F00AD pushad ; iretd 4_2_00007FFD9B7F00C1
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeFile opened: C:\Users\user\Desktop\2Mi3lKoJfj.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeFile opened: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeMemory allocated: 1AD40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMemory allocated: 1ADB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMemory allocated: 3420000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeMemory allocated: 1B420000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeCode function: 3_2_00007FFD9B7DF1F2 str ax3_2_00007FFD9B7DF1F2
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWindow / User API: threadDelayed 2852Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWindow / User API: threadDelayed 6889Jump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe TID: 7536Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe TID: 7556Thread sleep count: 2852 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe TID: 7556Thread sleep count: 6889 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe TID: 7492Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RuntimeBroker.exe, 00000003.00000002.4107371523.000000001BB5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: RuntimeBroker.exe, 00000003.00000002.4107576471.000000001BBA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                        Source: RuntimeBroker.exe, 00000003.00000002.4107371523.000000001BB5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRSVP TCPv6 Service Provider
                        Source: RuntimeBroker.exe, 00000003.00000002.4107296276.000000001BB55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: RuntimeBroker.exe, 00000003.00000002.4106204427.000000001BA00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@&
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeProcess created: C:\Windows\System32\shutdown.exe "C:\Windows\System32\shutdown.exe" /s /t 0Jump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeQueries volume information: C:\Users\user\Desktop\2Mi3lKoJfj.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\2Mi3lKoJfj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: 2Mi3lKoJfj.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 2Mi3lKoJfj.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: 2Mi3lKoJfj.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.2Mi3lKoJfj.exe.770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 2Mi3lKoJfj.exe PID: 7300, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Masquerading                        		11
                        Input Capture                        		1
                        Query Registry                        		Remote Services11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory111
                        Security Software Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager51
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging113
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSync23
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583601 Sample: 2Mi3lKoJfj.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 39 ipwho.is 2->39 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 10 other signatures 2->59 9 2Mi3lKoJfj.exe 5 2->9         started        13 RuntimeBroker.exe 3 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\...\2Mi3lKoJfj.exe.log, CSV 9->37 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 9->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->63 15 RuntimeBroker.exe 3 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 41 194.26.192.167, 2768, 49730 HEANETIE Netherlands 15->41 43 ipwho.is 195.201.57.90, 443, 49732 HETZNER-ASDE Germany 15->43 45 Antivirus detection for dropped file 15->45 47 Multi AV Scanner detection for dropped file 15->47 49 Machine Learning detection for dropped file 15->49 51 3 other signatures 15->51 21 schtasks.exe 1 15->21         started        23 shutdown.exe 1 15->23         started        25 shutdown.exe 1 15->25         started        27 conhost.exe 19->27         started        signatures9 process10 process11 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        2Mi3lKoJfj.exe85%VirustotalBrowse
                        2Mi3lKoJfj.exe84%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                        2Mi3lKoJfj.exe100%AviraHEUR/AGEN.1307453
                        2Mi3lKoJfj.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe100%AviraHEUR/AGEN.1307453
                        C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe84%ReversingLabsByteCode-MSIL.Backdoor.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        194.26.192.1670%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalse
                          		high
                          ipwho.is
                          		195.201.57.90
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            194.26.192.167true
                            • Avira URL Cloud: safe
                            		unknown
                            https://ipwho.is/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drfalse
                                		high
                                https://stackoverflow.com/q/14436606/233542Mi3lKoJfj.exe, RuntimeBroker.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354sCannot2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drfalse
                                    		high
                                    http://schemas.datacontract.org/2004/07/RuntimeBroker.exe, 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2Mi3lKoJfj.exe, 00000000.00000002.1667910888.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000003.00000002.4099457933.0000000002DE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ipwho.isRuntimeBroker.exe, 00000003.00000002.4099457933.000000000318F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/11564914/23354;2Mi3lKoJfj.exe, RuntimeBroker.exe.0.drfalse
                                            		high
                                            https://ipwho.isRuntimeBroker.exe, 00000003.00000002.4099457933.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              194.26.192.167
                                              		unknownNetherlands
                                              		1213HEANETIEtrue
                                              195.201.57.90
                                              		ipwho.isGermany
                                              		24940HETZNER-ASDEfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1583601
                                              Start date and time:2025-01-03 07:41:08 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 56s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:2Mi3lKoJfj.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:b94af11cca65c557d23559e978a49d18.exe
                                              Detection:MAL
                                              Classification:mal100.rans.troj.spyw.evad.winEXE@16/5@1/2
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 61
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 199.232.210.172, 52.149.20.212, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 7448 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              01:42:00API Interceptor14744148x Sleep call for process: RuntimeBroker.exe modified
                                              06:41:59Task SchedulerRun new task: RuntimeBroker path: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                              • /?output=json
                                              765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                              • /?output=json
                                              765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                              • /?output=json
                                              WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                              • /?output=json
                                              ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                              • ipwhois.app/xml/
                                              cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                              • /?output=json
                                              Clipper.exeGet hashmaliciousUnknownBrowse
                                              • /?output=json
                                              cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                              • /?output=json
                                              Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                              • /?output=json
                                              Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                              • /?output=json

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ipwho.isYJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                              • 108.181.61.49
                                              msgde.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                              • 108.181.61.49
                                              StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              BJtvb5Vdhh.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              HquJT7q6xG.exeGet hashmaliciousQuasarBrowse
                                              • 108.181.61.49
                                              bg.microsoft.map.fastly.netReparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              file.exeGet hashmaliciousDcRat, JasonRATBrowse
                                              • 199.232.214.172
                                              iviewers.dllGet hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                              • 199.232.214.172
                                              wrcaf.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                              • 199.232.210.172
                                              iubn.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                              • 199.232.210.172
                                              rwvg1.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                                              • 199.232.210.172
                                              ersyb.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                                              • 199.232.214.172
                                              Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                                              • 199.232.214.172
                                              8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                              • 199.232.210.172

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              HEANETIE4.elfGet hashmaliciousUnknownBrowse
                                              • 87.44.44.181
                                              botx.x86.elfGet hashmaliciousMiraiBrowse
                                              • 136.206.122.80
                                              armv7l.elfGet hashmaliciousMiraiBrowse
                                              • 87.45.97.203
                                              armv6l.elfGet hashmaliciousMiraiBrowse
                                              • 143.239.172.125
                                              splspc.elfGet hashmaliciousUnknownBrowse
                                              • 136.206.67.80
                                              loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 87.44.85.54
                                              3.elfGet hashmaliciousUnknownBrowse
                                              • 87.47.150.191
                                              nshkppc.elfGet hashmaliciousMiraiBrowse
                                              • 87.46.25.34
                                              mips.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 87.42.38.252
                                              mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 87.45.27.239
                                              HETZNER-ASDE3.elfGet hashmaliciousUnknownBrowse
                                              • 195.201.78.91
                                              2.elfGet hashmaliciousUnknownBrowse
                                              • 212.127.42.203
                                              https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63Get hashmaliciousHTMLPhisherBrowse
                                              • 138.201.139.144
                                              https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtmlGet hashmaliciousHTMLPhisherBrowse
                                              • 138.201.139.144
                                              https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                                              • 138.201.139.144
                                              http://www.rr8844.comGet hashmaliciousUnknownBrowse
                                              • 88.99.67.51
                                              DF2.exeGet hashmaliciousUnknownBrowse
                                              • 78.46.239.124
                                              YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                              • 116.203.13.109
                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                              • 116.203.13.109

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eRFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                                              • 195.201.57.90
                                              Sylacauga AL License.msgGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                                              • 195.201.57.90
                                              image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 195.201.57.90
                                              DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 195.201.57.90
                                              NOTIFICATION_OF_DEPENDANTS_1.vbsGet hashmaliciousXmrigBrowse
                                              • 195.201.57.90
                                              CRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                                              • 195.201.57.90

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                              Category:dropped
                                              Size (bytes):71954
                                              Entropy (8bit):7.996617769952133
                                              Encrypted:true
                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):328
                                              Entropy (8bit):3.2539954282295116
                                              Encrypted:false
                                              SSDEEP:6:kKrhF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:j+DImsLNkPlE99SNxAhUe/3
                                              MD5:CCD166C069EF679B634972697403EA1E
                                              SHA1:DAF45DC15D33ED74B5E6793C8E5661AB974A506D
                                              SHA-256:4C176B0E3D64FF9518F23AF660E0403A9249E0B6520A8B51674A4D4860446A4C
                                              SHA-512:507E738345AF36D4C8CE73DB73BFFA26C61F97819818E23EA44D16B106E4760289E6C6C2A81B6EE99FD7631E6E44F2B6F406F08B5509B0F3561C005EC7315DE4
                                              Malicious:false
                                              Preview:p...... ..........6.]..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2Mi3lKoJfj.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\2Mi3lKoJfj.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):1281
                                              Entropy (8bit):5.370111951859942
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                              MD5:12C61586CD59AA6F2A21DF30501F71BD
                                              SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                              SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                              SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):1281
                                              Entropy (8bit):5.370111951859942
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                              MD5:12C61586CD59AA6F2A21DF30501F71BD
                                              SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                              SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                              SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                              C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\2Mi3lKoJfj.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):3266048
                                              Entropy (8bit):6.084503895177852
                                              Encrypted:false
                                              SSDEEP:49152:PvSI22SsaNYfdPBldt698dBcjHNGRJ67bR3LoGdGH3THHB72eh2NT:Pv/22SsaNYfdPBldt6+dBcjHNGRJ6N
                                              MD5:B94AF11CCA65C557D23559E978A49D18
                                              SHA1:0C3436D0C5DF8E2E39BF4869BBE4413CA8D594B7
                                              SHA-256:F6A0A782D574DE811FE66ECF6416C69B486F9CA20FAF96CFC863A00063306338
                                              SHA-512:C1254360B2382957F043B8EDCF36B28F13A93D0860DC9609D9B46EDED81BC004E4149113E9EAAD8B4D2CC18164942588BD4E97ECD8FCE4F9AFD8E537BC668B16
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Florian Roth
                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: ditekshen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 84%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.W.....2.<.................... 2...................................................... ............... ..H............text...4.1.. ....1................. ..`.rsrc...<.....2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.084503895177852
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:2Mi3lKoJfj.exe
                                              File size:3'266'048 bytes
                                              MD5:b94af11cca65c557d23559e978a49d18
                                              SHA1:0c3436d0c5df8e2e39bf4869bbe4413ca8d594b7
                                              SHA256:f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338
                                              SHA512:c1254360b2382957f043b8edcf36b28f13a93d0860dc9609d9b46eded81bc004e4149113e9eaad8b4d2cc18164942588bd4e97ecd8fce4f9afd8e537bc668b16
                                              SSDEEP:49152:PvSI22SsaNYfdPBldt698dBcjHNGRJ67bR3LoGdGH3THHB72eh2NT:Pv/22SsaNYfdPBldt6+dBcjHNGRJ6N
                                              TLSH:5BE56B143BF85E27E1BBE277A5B0041267F0FC1AF363EB0B6581677A1C53B5098426A7
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                              File Icon

                                              Icon Hash:90cececece8e8eb0

                                              Static PE Info

                                              General

                                              Entrypoint:0x71e42e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3d40x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa3c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x31c4340x31c600959b3c04ca812044b9a1106a38e8ede0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x3200000xa3c0xc00a5935f834a4ded3b46b17b880023c905False0.3505859375data5.260153502397429IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x3220000xc0x20099e75cdb3927a57ba5de39a6c2349231False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x3200a00x2c4data0.4279661016949153
                                              RT_MANIFEST0x3203640x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-03T07:42:02.002202+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1194.26.192.1672768192.168.2.449730TCP
                                              2025-01-03T07:42:02.002202+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1194.26.192.1672768192.168.2.449730TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 3, 2025 07:42:01.360343933 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:01.365250111 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:01.365340948 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:01.374972105 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:01.379717112 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:01.993784904 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:01.993802071 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:01.993875980 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:01.997425079 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:02.002202034 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:02.173552990 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:02.233514071 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:03.454555988 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:03.454596996 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:03.454678059 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:03.455657005 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:03.455676079 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.323565006 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.323759079 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:04.328438997 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:04.328449011 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.328680038 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.366624117 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:04.411325932 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.559921980 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.559977055 CET44349732195.201.57.90192.168.2.4
                                              Jan 3, 2025 07:42:04.560023069 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:04.639028072 CET49732443192.168.2.4195.201.57.90
                                              Jan 3, 2025 07:42:04.884108067 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:04.888969898 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:04.889045000 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:04.893872023 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:05.234359026 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:05.280458927 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:05.353907108 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:05.405442953 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:10.180813074 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:10.233443975 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:10.306983948 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:10.363185883 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:35.311443090 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:35.316497087 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:39.872502089 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:39.920840025 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:42:39.994837046 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:42:40.045775890 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:43:04.998775005 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:43:05.003595114 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:43:30.014288902 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:43:30.019186020 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:43:55.029795885 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:43:55.034739017 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:44:20.045306921 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:44:20.050219059 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:44:45.060851097 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:44:45.065885067 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:45:10.092000008 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:45:10.097110033 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:45:35.187570095 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:45:35.192470074 CET276849730194.26.192.167192.168.2.4
                                              Jan 3, 2025 07:46:00.201222897 CET497302768192.168.2.4194.26.192.167
                                              Jan 3, 2025 07:46:00.206129074 CET276849730194.26.192.167192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 3, 2025 07:42:03.443706036 CET5414253192.168.2.41.1.1.1
                                              Jan 3, 2025 07:42:03.451009035 CET53541421.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 3, 2025 07:42:03.443706036 CET192.168.2.41.1.1.10x39f7Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 3, 2025 07:42:02.697722912 CET1.1.1.1192.168.2.40xd016No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                              Jan 3, 2025 07:42:02.697722912 CET1.1.1.1192.168.2.40xd016No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                              Jan 3, 2025 07:42:03.451009035 CET1.1.1.1192.168.2.40x39f7No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • ipwho.is

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449732195.201.57.904437420C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-03 06:42:04 UTC150OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                              Host: ipwho.is
                                              Connection: Keep-Alive
                                              2025-01-03 06:42:04 UTC223INHTTP/1.1 200 OK
                                              Date: Fri, 03 Jan 2025 06:42:04 GMT
                                              Content-Type: application/json; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Server: ipwhois
                                              Access-Control-Allow-Headers: *
                                              X-Robots-Tag: noindex
                                              2025-01-03 06:42:04 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                              Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:01:41:56
                                              Start date:03/01/2025
                                              Path:C:\Users\user\Desktop\2Mi3lKoJfj.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\2Mi3lKoJfj.exe"
                                              Imagebase:0x770000
                                              File size:3'266'048 bytes
                                              MD5 hash:B94AF11CCA65C557D23559E978A49D18
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1669778784.000000001B950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1640680973.0000000000772000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:01:41:57
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                                              Imagebase:0x7ff76f990000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:01:41:57
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:01:41:58
                                              Start date:03/01/2025
                                              Path:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"
                                              Imagebase:0x6d0000
                                              File size:3'266'048 bytes
                                              MD5 hash:B94AF11CCA65C557D23559E978A49D18
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.4099457933.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Joe Security
                                              • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: Florian Roth
                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe, Author: ditekshen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 84%, ReversingLabs
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:01:41:59
                                              Start date:03/01/2025
                                              Path:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
                                              Imagebase:0xd40000
                                              File size:3'266'048 bytes
                                              MD5 hash:B94AF11CCA65C557D23559E978A49D18
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:01:41:59
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f
                                              Imagebase:0x7ff76f990000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:01:41:59
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:01:42:09
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\shutdown.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\shutdown.exe" /s /t 0
                                              Imagebase:0x7ff7a2bf0000
                                              File size:28'160 bytes
                                              MD5 hash:F2A4E18DA72BB2C5B21076A5DE382A20
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:01:42:09
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:01:42:38
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\shutdown.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\shutdown.exe" /s /t 0
                                              Imagebase:0x7ff7a2bf0000
                                              File size:28'160 bytes
                                              MD5 hash:F2A4E18DA72BB2C5B21076A5DE382A20
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:01:42:38
                                              Start date:03/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:15.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:6
                                                Total number of Limit Nodes:0
                                                execution_graph 1723 7ffd9b7f3569 1724 7ffd9b7f3571 DeleteFileW 1723->1724 1726 7ffd9b7f3616 1724->1726 1731 7ffd9b7f206a 1732 7ffd9b7f3580 DeleteFileW 1731->1732 1734 7ffd9b7f3616 1732->1734

                                                Executed Functions

                                                Function 00007FFD9B7F3525 Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1670908832.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b7f0000_2Mi3lKoJfj.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 3b284fc15df134492a03276780d4271fd3fbd9ece4cb13c15461ba245708ab33
                                                • Instruction ID: 0cb1905b8c6b3cecef55421ce666ec286eb3fc94548c4d51d5687683c68ad2c4
                                                • Opcode Fuzzy Hash: 3b284fc15df134492a03276780d4271fd3fbd9ece4cb13c15461ba245708ab33
                                                • Instruction Fuzzy Hash: 0131163190CB4C4FDB19DB6888596E97FF0EF56311F0542AFC049D75A2CB34A905C791
                                                Function 00007FFD9B7F3569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 11 7ffd9b7f3569-7ffd9b7f35d8 16 7ffd9b7f35da-7ffd9b7f35df 11->16 17 7ffd9b7f35e2-7ffd9b7f3614 DeleteFileW 11->17 16->17 18 7ffd9b7f361c-7ffd9b7f364a 17->18 19 7ffd9b7f3616 17->19 19->18
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1670908832.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b7f0000_2Mi3lKoJfj.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: c234a9c6199dadb6daeb88f67ed5f4833d16f504419bcbd8037e9a47d404aa95
                                                • Instruction ID: e9aeedc9e0e12aff582aa6dcc78d1d29fc2ece21304b3b34b0cad1cfcfd4c983
                                                • Opcode Fuzzy Hash: c234a9c6199dadb6daeb88f67ed5f4833d16f504419bcbd8037e9a47d404aa95
                                                • Instruction Fuzzy Hash: 9631E63190DB5C8FDB19DB6888596E9BBF0FF65311F05426FD049D31A2CB74A805CB91
                                                Function 00007FFD9B7F206A Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 21 7ffd9b7f206a-7ffd9b7f35d8 25 7ffd9b7f35da-7ffd9b7f35df 21->25 26 7ffd9b7f35e2-7ffd9b7f3614 DeleteFileW 21->26 25->26 27 7ffd9b7f361c-7ffd9b7f364a 26->27 28 7ffd9b7f3616 26->28 28->27
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1670908832.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b7f0000_2Mi3lKoJfj.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: da0d63134d3efa36210d877cfbe87f6829214188104dc340cb03ed6d08f79f3b
                                                • Instruction ID: 429ca4d238eff1ad113bf1c22315462b327db8a14b1e2a9ed321458470b98afb
                                                • Opcode Fuzzy Hash: da0d63134d3efa36210d877cfbe87f6829214188104dc340cb03ed6d08f79f3b
                                                • Instruction Fuzzy Hash: 8631C531A08A1C9FDB58DF98C449AFDBBE0FF55311F00822FD04AD3651DB74A9458B91

                                                Execution Graph

                                                Execution Coverage:6.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:8
                                                Total number of Limit Nodes:1
                                                execution_graph 55341 7ffd9b7d3569 55342 7ffd9b7d3571 DeleteFileW 55341->55342 55344 7ffd9b7d3616 55342->55344 55336 7ffd9ba4e6f9 55337 7ffd9ba4e70f 55336->55337 55338 7ffd9ba4e7bb 55337->55338 55339 7ffd9ba4e8b4 SetWindowsHookExW 55337->55339 55340 7ffd9ba4e8f6 55339->55340

                                                Executed Functions

                                                Function 00007FFD9BB62326 Relevance: 7.4, Strings: 1, Instructions: 6106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H
                                                • API String ID: 0-2852464175
                                                • Opcode ID: c740864a3aa3be24c8a3dd016ad3643357d4acb7e9ca8468525c57c3a2a1f881
                                                • Instruction ID: a3e56bfd5a651b8fb0b9f9f4bb0283ee63dffb1457e4b9e2ce7218f8021cc629
                                                • Opcode Fuzzy Hash: c740864a3aa3be24c8a3dd016ad3643357d4acb7e9ca8468525c57c3a2a1f881
                                                • Instruction Fuzzy Hash: 3573B312B1AE4F4FF7B596AC047527962C2FFD86A4B9A417AD01EC32F6ED19ED024340
                                                Function 00007FFD9BA5CAD5 Relevance: 3.7, Strings: 2, Instructions: 1223COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: V1_H$W&_L
                                                • API String ID: 0-2225251907
                                                • Opcode ID: 3c3e878a749f932a7d2d3f52fa4d03761ae887ee2f175f3325d6f87e497fcae0
                                                • Instruction ID: a100fd79e8d9a11edf4924283f757c0b0a2c126761248bf02db6389e93d61b72
                                                • Opcode Fuzzy Hash: 3c3e878a749f932a7d2d3f52fa4d03761ae887ee2f175f3325d6f87e497fcae0
                                                • Instruction Fuzzy Hash: 60825B31B1EA4E4FE7B4DBE88465AB837D1EF95310B0601B9D08DC71A7EE9C6E068741
                                                Function 00007FFD9BA5B851 Relevance: 2.2, Strings: 1, Instructions: 926COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2129 7ffd9ba5b851-7ffd9ba5b8b4 2131 7ffd9ba5b8b6-7ffd9ba5b910 2129->2131 2132 7ffd9ba5b915-7ffd9ba5b919 2129->2132 2174 7ffd9ba5beef-7ffd9ba5bf02 2131->2174 2133 7ffd9ba5b92a 2132->2133 2134 7ffd9ba5b91b-7ffd9ba5b923 call 7ffd9ba49fd0 2132->2134 2137 7ffd9ba5b92c-7ffd9ba5b935 2133->2137 2139 7ffd9ba5b928 2134->2139 2140 7ffd9ba5ba6a-7ffd9ba5ba6f 2137->2140 2141 7ffd9ba5b93b-7ffd9ba5b940 2137->2141 2139->2137 2142 7ffd9ba5ba71-7ffd9ba5ba83 call 7ffd9ba43830 2140->2142 2143 7ffd9ba5bad5-7ffd9ba5bad9 2140->2143 2144 7ffd9ba5bf03-7ffd9ba5bf35 2141->2144 2145 7ffd9ba5b946-7ffd9ba5b94b 2141->2145 2162 7ffd9ba5ba88-7ffd9ba5ba8f 2142->2162 2151 7ffd9ba5bb2a-7ffd9ba5bb55 2143->2151 2152 7ffd9ba5badb-7ffd9ba5baf7 call 7ffd9ba44180 2143->2152 2158 7ffd9ba5bf3c-7ffd9ba5bf5f 2144->2158 2149 7ffd9ba5b94d-7ffd9ba5b959 2145->2149 2150 7ffd9ba5b95f-7ffd9ba5b975 call 7ffd9ba49bf0 2145->2150 2149->2150 2149->2158 2159 7ffd9ba5b97a-7ffd9ba5ba65 call 7ffd9ba4a890 2150->2159 2181 7ffd9ba5bb64 2151->2181 2182 7ffd9ba5bb57-7ffd9ba5bb62 2151->2182 2178 7ffd9ba5bafd-7ffd9ba5bb25 2152->2178 2179 7ffd9ba5bf75-7ffd9ba5bf88 2152->2179 2172 7ffd9ba5bf61-7ffd9ba5bf6e 2158->2172 2173 7ffd9ba5bf8d-7ffd9ba5bf91 2158->2173 2159->2174 2167 7ffd9ba5ba91-7ffd9ba5bab2 call 7ffd9ba5b6f0 2162->2167 2168 7ffd9ba5ba85-7ffd9ba5ba86 2162->2168 2187 7ffd9ba5bab7-7ffd9ba5bad0 2167->2187 2168->2162 2172->2179 2188 7ffd9ba5bf98-7ffd9ba5bfe7 2173->2188 2178->2174 2179->2173 2189 7ffd9ba5bb66-7ffd9ba5bb95 2181->2189 2182->2189 2187->2174 2221 7ffd9ba5bfee-7ffd9ba5c030 2188->2221 2197 7ffd9ba5bb9b-7ffd9ba5bbba call 7ffd9ba47b40 2189->2197 2198 7ffd9ba5bd77-7ffd9ba5bd7a 2189->2198 2210 7ffd9ba5bbc0-7ffd9ba5bbd7 call 7ffd9ba47220 2197->2210 2211 7ffd9ba5bd6f-7ffd9ba5bd72 2197->2211 2202 7ffd9ba5bc8a-7ffd9ba5bc8c 2198->2202 2205 7ffd9ba5bc92-7ffd9ba5bcb1 call 7ffd9ba47b40 2202->2205 2206 7ffd9ba5bd41-7ffd9ba5bd4a 2202->2206 2205->2206 2225 7ffd9ba5bcb7-7ffd9ba5bcce call 7ffd9ba47220 2205->2225 2207 7ffd9ba5bd50-7ffd9ba5bd55 2206->2207 2208 7ffd9ba5be27-7ffd9ba5be2c 2206->2208 2215 7ffd9ba5bd7f 2207->2215 2216 7ffd9ba5bd57-7ffd9ba5bd65 2207->2216 2213 7ffd9ba5be2e-7ffd9ba5be52 2208->2213 2214 7ffd9ba5be7a-7ffd9ba5bee4 2208->2214 2229 7ffd9ba5bbf0-7ffd9ba5bbfa 2210->2229 2230 7ffd9ba5bbd9-7ffd9ba5bbef 2210->2230 2211->2202 2226 7ffd9ba5be72-7ffd9ba5be73 2213->2226 2227 7ffd9ba5be54-7ffd9ba5be6b 2213->2227 2237 7ffd9ba5beeb-7ffd9ba5beec 2214->2237 2224 7ffd9ba5bd81-7ffd9ba5bd83 2215->2224 2216->2224 2256 7ffd9ba5c032-7ffd9ba5c039 2221->2256 2257 7ffd9ba5c03b-7ffd9ba5c046 2221->2257 2231 7ffd9ba5bd8a-7ffd9ba5bd8f 2224->2231 2232 7ffd9ba5bd85-7ffd9ba5bd88 2224->2232 2245 7ffd9ba5bcd0-7ffd9ba5bce5 2225->2245 2246 7ffd9ba5bce7-7ffd9ba5bcee 2225->2246 2226->2214 2227->2226 2239 7ffd9ba5bbfc-7ffd9ba5bc20 2229->2239 2240 7ffd9ba5bc26-7ffd9ba5bc2d 2229->2240 2230->2229 2242 7ffd9ba5bd91-7ffd9ba5bdb3 2231->2242 2243 7ffd9ba5bdba-7ffd9ba5bdbf 2231->2243 2241 7ffd9ba5bdc2-7ffd9ba5bdce 2232->2241 2237->2174 2239->2188 2239->2240 2240->2221 2249 7ffd9ba5bc33-7ffd9ba5bc4a 2240->2249 2259 7ffd9ba5bdd0-7ffd9ba5bdd3 2241->2259 2260 7ffd9ba5be1a-7ffd9ba5be21 2241->2260 2242->2243 2243->2241 2245->2246 2246->2221 2255 7ffd9ba5bcf4-7ffd9ba5bd0a 2246->2255 2250 7ffd9ba5bc4c-7ffd9ba5bc69 2249->2250 2251 7ffd9ba5bc6b-7ffd9ba5bc84 call 7ffd9ba47b40 2249->2251 2250->2251 2251->2202 2281 7ffd9ba5bd67-7ffd9ba5bd6a 2251->2281 2261 7ffd9ba5bd23-7ffd9ba5bd3b call 7ffd9ba47b40 2255->2261 2262 7ffd9ba5bd0c-7ffd9ba5bd0d 2255->2262 2256->2257 2263 7ffd9ba5c047-7ffd9ba5c098 2256->2263 2267 7ffd9ba5bdd5-7ffd9ba5bdf0 2259->2267 2268 7ffd9ba5bdf8-7ffd9ba5be16 call 7ffd9ba453c0 2259->2268 2260->2207 2260->2208 2261->2206 2261->2225 2273 7ffd9ba5bd14-7ffd9ba5bd1c 2262->2273 2267->2268 2268->2260 2273->2261 2281->2210
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: d&_H
                                                • API String ID: 0-3974368547
                                                • Opcode ID: a90bd5f9a27fb626c825074e611d8ed8b34266856b5def0cfcb3e41a1bfb94c6
                                                • Instruction ID: 1ae5d7cc176070d29c7a75313a71f821adb99fce7300861e0561766f11a0c919
                                                • Opcode Fuzzy Hash: a90bd5f9a27fb626c825074e611d8ed8b34266856b5def0cfcb3e41a1bfb94c6
                                                • Instruction Fuzzy Hash: F552F231B19E4D4FDBA8EF9884656B9B3D1FF98301F41067DD44EC32A6DEA4B9428780
                                                Function 00007FFD9BA455D6 Relevance: 2.1, Instructions: 2125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1c50a486ce9114a8eb8956640749ad1f618d6adc239cdc8149d3a050a06930c
                                                • Instruction ID: 7ecbbb586ee2a3bf046fcadef5171dd4cd6d328611d2e48824245598c909a435
                                                • Opcode Fuzzy Hash: f1c50a486ce9114a8eb8956640749ad1f618d6adc239cdc8149d3a050a06930c
                                                • Instruction Fuzzy Hash: A2F29F70A19A0D8FDFA8DF58C894BA977E2FF98300F1141A9D44ED72A6DE74E941CB40
                                                Function 00007FFD9BA49FD0 Relevance: 1.1, Instructions: 1062COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 4864 7ffd9ba49fd0-7ffd9ba4a018 4868 7ffd9ba4a5be-7ffd9ba4a5d0 4864->4868 4869 7ffd9ba4a01e-7ffd9ba4a030 4864->4869 4869->4868 4871 7ffd9ba4a036-7ffd9ba4a06f 4869->4871 4871->4868 4875 7ffd9ba4a075-7ffd9ba4a0b6 4871->4875 4879 7ffd9ba4a0bc-7ffd9ba4a0d4 4875->4879 4880 7ffd9ba4a168-7ffd9ba4a17b 4875->4880 4885 7ffd9ba4a0da-7ffd9ba4a0fa 4879->4885 4886 7ffd9ba4a15c-7ffd9ba4a162 4879->4886 4883 7ffd9ba4a17d-7ffd9ba4a19e 4880->4883 4884 7ffd9ba4a1d0 4880->4884 4892 7ffd9ba4a1a0-7ffd9ba4a1c7 4883->4892 4893 7ffd9ba4a1c9-7ffd9ba4a1ce 4883->4893 4887 7ffd9ba4a1d2-7ffd9ba4a1d7 4884->4887 4885->4886 4897 7ffd9ba4a0fc-7ffd9ba4a10e 4885->4897 4886->4879 4886->4880 4890 7ffd9ba4a21e-7ffd9ba4a241 4887->4890 4891 7ffd9ba4a1d9-7ffd9ba4a1e0 4887->4891 4898 7ffd9ba4a337-7ffd9ba4a343 4890->4898 4899 7ffd9ba4a247-7ffd9ba4a26f 4890->4899 4894 7ffd9ba4a1e7-7ffd9ba4a201 4891->4894 4892->4887 4893->4887 4894->4890 4903 7ffd9ba4a203-7ffd9ba4a21c 4894->4903 4897->4886 4906 7ffd9ba4a110-7ffd9ba4a114 4897->4906 4898->4868 4902 7ffd9ba4a349-7ffd9ba4a35e 4898->4902 4911 7ffd9ba4a32b-7ffd9ba4a331 4899->4911 4912 7ffd9ba4a275-7ffd9ba4a290 4899->4912 4902->4868 4903->4890 4908 7ffd9ba4a5d1-7ffd9ba4a673 4906->4908 4909 7ffd9ba4a11a-7ffd9ba4a12f 4906->4909 4921 7ffd9ba4a679-7ffd9ba4a67b 4908->4921 4922 7ffd9ba4a785-7ffd9ba4a791 4908->4922 4917 7ffd9ba4a136-7ffd9ba4a138 4909->4917 4911->4898 4911->4899 4912->4911 4923 7ffd9ba4a296-7ffd9ba4a2a8 4912->4923 4917->4886 4920 7ffd9ba4a13a-7ffd9ba4a158 call 7ffd9ba453c0 4917->4920 4920->4886 4925 7ffd9ba4a67d-7ffd9ba4a68f 4921->4925 4926 7ffd9ba4a695-7ffd9ba4a6a3 4921->4926 4932 7ffd9ba4a793-7ffd9ba4a7b8 4922->4932 4933 7ffd9ba4a7ba 4922->4933 4923->4911 4937 7ffd9ba4a2ae-7ffd9ba4a2b2 4923->4937 4925->4926 4940 7ffd9ba4a7bf-7ffd9ba4a7f1 4925->4940 4930 7ffd9ba4a6a9-7ffd9ba4a6c0 4926->4930 4931 7ffd9ba4a7f8-7ffd9ba4a82b 4926->4931 4950 7ffd9ba4a6c2-7ffd9ba4a6d4 4930->4950 4951 7ffd9ba4a6da-7ffd9ba4a6dd 4930->4951 4955 7ffd9ba4a832-7ffd9ba4a83e 4931->4955 4932->4933 4933->4940 4937->4908 4941 7ffd9ba4a2b8-7ffd9ba4a2fb 4937->4941 4940->4931 4941->4911 4968 7ffd9ba4a2fd-7ffd9ba4a328 call 7ffd9ba453c0 4941->4968 4950->4951 4950->4955 4952 7ffd9ba4a6df-7ffd9ba4a6f6 4951->4952 4953 7ffd9ba4a706-7ffd9ba4a722 call 7ffd9ba47a50 4951->4953 4952->4953 4975 7ffd9ba4a6f8-7ffd9ba4a6fc 4952->4975 4976 7ffd9ba4a753-7ffd9ba4a757 4953->4976 4977 7ffd9ba4a724-7ffd9ba4a752 4953->4977 4961 7ffd9ba4a840-7ffd9ba4a864 4955->4961 4962 7ffd9ba4a867 4955->4962 4961->4962 4963 7ffd9ba4a869-7ffd9ba4a871 4962->4963 4964 7ffd9ba4a87b 4962->4964 4969 7ffd9ba4a873-7ffd9ba4a879 4963->4969 4970 7ffd9ba4a87d 4963->4970 4964->4970 4968->4911 4969->4964 4973 7ffd9ba4a881-7ffd9ba4a8bc 4969->4973 4970->4973 4974 7ffd9ba4a87f 4970->4974 4982 7ffd9ba4a8be-7ffd9ba4a8e5 4973->4982 4983 7ffd9ba4a8ff-7ffd9ba4a932 4973->4983 4974->4973 4985 7ffd9ba4a703-7ffd9ba4a704 4975->4985 4981 7ffd9ba4a75e-7ffd9ba4a784 4976->4981 4996 7ffd9ba4a939-7ffd9ba4a981 4982->4996 4997 7ffd9ba4a8e7-7ffd9ba4a8fe 4982->4997 4983->4996 4985->4953 5004 7ffd9ba4a983 4996->5004 5005 7ffd9ba4a985-7ffd9ba4a9a7 4996->5005 5004->5005 5007 7ffd9ba4a9ad-7ffd9ba4a9bf 5005->5007 5008 7ffd9ba4aa8a-7ffd9ba4aa96 5005->5008 5013 7ffd9ba4a9c1-7ffd9ba4a9ca 5007->5013 5014 7ffd9ba4a9cb-7ffd9ba4a9e3 call 7ffd9ba440b0 5007->5014 5011 7ffd9ba4aabf-7ffd9ba4aad3 5008->5011 5012 7ffd9ba4aa98-7ffd9ba4aabd 5008->5012 5018 7ffd9ba4ab15-7ffd9ba4ab17 5011->5018 5019 7ffd9ba4aad5-7ffd9ba4aaf2 5011->5019 5012->5011 5024 7ffd9ba4a9e5-7ffd9ba4aa16 5014->5024 5025 7ffd9ba4aa47-7ffd9ba4aa50 5014->5025 5023 7ffd9ba4ab19-7ffd9ba4ab1b 5018->5023 5022 7ffd9ba4aaf4-7ffd9ba4ab0f 5019->5022 5019->5023 5022->5023 5026 7ffd9ba4ab11-7ffd9ba4ab12 5022->5026 5027 7ffd9ba4ab1d-7ffd9ba4ab2b 5023->5027 5028 7ffd9ba4ab2c-7ffd9ba4ab3c 5023->5028 5032 7ffd9ba4aa41-7ffd9ba4aa45 5024->5032 5033 7ffd9ba4aa18-7ffd9ba4aa3f 5024->5033 5026->5023 5032->5024 5032->5025 5033->5032 5035 7ffd9ba4aa51-7ffd9ba4aa89 5033->5035
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: beb2ceb2357dee5993e731d6de154c68854d1235b8b7bbc49185b48e46d53d5c
                                                • Instruction ID: 6786b05a74f043e7f41a07ee2631cfaad9829bf90601b7acfeb1af75e47440c3
                                                • Opcode Fuzzy Hash: beb2ceb2357dee5993e731d6de154c68854d1235b8b7bbc49185b48e46d53d5c
                                                • Instruction Fuzzy Hash: 7462393171D94D4FEBA8EB6CD4A5A7933D2EF99300B0601B9E44EC72E6DE64EC428741
                                                Function 00007FFD9BA5EB29 Relevance: 1.0, Instructions: 969COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5511 7ffd9ba5eb29-7ffd9ba5eb6b 5515 7ffd9ba5eb6d-7ffd9ba5eb8c 5511->5515 5516 7ffd9ba5ebbf-7ffd9ba5ec2f call 7ffd9ba45070 5511->5516 5515->5516 5521 7ffd9ba5ec31-7ffd9ba5ec36 5516->5521 5522 7ffd9ba5ec39-7ffd9ba5ec49 5516->5522 5521->5522 5523 7ffd9ba5f172-7ffd9ba5f17d 5522->5523 5524 7ffd9ba5ec4f-7ffd9ba5ec5f call 7ffd9ba4ac60 5522->5524 5526 7ffd9ba5f17f-7ffd9ba5f184 5523->5526 5527 7ffd9ba5f187-7ffd9ba5f1e7 call 7ffd9ba44780 5523->5527 5528 7ffd9ba5ec64-7ffd9ba5ec69 5524->5528 5526->5527 5535 7ffd9ba5f111-7ffd9ba5f16d 5527->5535 5536 7ffd9ba5f1ed-7ffd9ba5f1f6 5527->5536 5530 7ffd9ba5f07f-7ffd9ba5f0d1 5528->5530 5531 7ffd9ba5ec6f-7ffd9ba5ec7a 5528->5531 5549 7ffd9ba5f0d8-7ffd9ba5f10a 5530->5549 5533 7ffd9ba5ec7c-7ffd9ba5ec8d 5531->5533 5534 7ffd9ba5ec97-7ffd9ba5ecd0 call 7ffd9ba44780 5531->5534 5533->5534 5551 7ffd9ba5ec8f-7ffd9ba5ec94 5533->5551 5552 7ffd9ba5ecd2-7ffd9ba5ecf6 call 7ffd9ba4a990 call 7ffd9ba4aae0 5534->5552 5553 7ffd9ba5ecfb-7ffd9ba5edd9 call 7ffd9ba44780 5534->5553 5540 7ffd9ba5f1fc-7ffd9ba5f207 5536->5540 5541 7ffd9ba5f3eb-7ffd9ba5f437 5536->5541 5540->5541 5547 7ffd9ba5f20d-7ffd9ba5f210 5540->5547 5565 7ffd9ba5f43e-7ffd9ba5f485 5541->5565 5548 7ffd9ba5f216-7ffd9ba5f2b7 5547->5548 5547->5549 5586 7ffd9ba5f504-7ffd9ba5f50d 5548->5586 5587 7ffd9ba5f2bd-7ffd9ba5f2c5 5548->5587 5549->5535 5551->5534 5552->5553 5613 7ffd9ba5eddf-7ffd9ba5ede3 5553->5613 5614 7ffd9ba5f046-7ffd9ba5f04f 5553->5614 5575 7ffd9ba5f4a2-7ffd9ba5f4ab 5565->5575 5576 7ffd9ba5f487-7ffd9ba5f496 5565->5576 5581 7ffd9ba5f4ae-7ffd9ba5f4f5 5575->5581 5582 7ffd9ba5f49d-7ffd9ba5f4a0 5576->5582 5585 7ffd9ba5f4fc-7ffd9ba5f4ff 5581->5585 5582->5581 5588 7ffd9ba5f391-7ffd9ba5f3ac 5585->5588 5586->5588 5593 7ffd9ba5f513-7ffd9ba5f51b 5586->5593 5591 7ffd9ba5f2d4-7ffd9ba5f2eb 5587->5591 5592 7ffd9ba5f2c7-7ffd9ba5f2cc 5587->5592 5594 7ffd9ba5f3de-7ffd9ba5f3e6 5588->5594 5595 7ffd9ba5f3ae-7ffd9ba5f3bf 5588->5595 5591->5565 5599 7ffd9ba5f2f1-7ffd9ba5f374 5591->5599 5592->5591 5593->5588 5596 7ffd9ba5f521-7ffd9ba5f532 5593->5596 5606 7ffd9ba5f3c5-7ffd9ba5f3dc 5595->5606 5607 7ffd9ba5ef57-7ffd9ba5ef63 5595->5607 5596->5588 5605 7ffd9ba5f538-7ffd9ba5f543 5596->5605 5599->5588 5612 7ffd9ba5f56d-7ffd9ba5f585 5605->5612 5606->5594 5619 7ffd9ba5f012-7ffd9ba5f019 5607->5619 5620 7ffd9ba5ef69-7ffd9ba5ef81 5607->5620 5622 7ffd9ba5f023-7ffd9ba5f02c 5612->5622 5623 7ffd9ba5f58b-7ffd9ba5f5ca 5612->5623 5617 7ffd9ba5f01e 5613->5617 5618 7ffd9ba5ede9-7ffd9ba5ee4f 5613->5618 5614->5530 5617->5622 5618->5607 5626 7ffd9ba5f5d1-7ffd9ba5f5f1 call 7ffd9ba5f5f2 5619->5626 5620->5612 5628 7ffd9ba5ef87-7ffd9ba5efb2 5620->5628 5622->5614 5623->5626 5639 7ffd9ba5efb9-7ffd9ba5efcd 5628->5639 5643 7ffd9ba5efe2-7ffd9ba5f010 5639->5643 5644 7ffd9ba5efcf-7ffd9ba5efe0 5639->5644 5643->5619 5644->5619 5644->5643
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01a0c9d6834f92c3cf948e7ab89e284bdae02c54ac9e5dd8e2efbd66da1bf9b5
                                                • Instruction ID: b01bda5498e31c93af9da9be84f8e869caac09b13854a8995ad10447cdee65d8
                                                • Opcode Fuzzy Hash: 01a0c9d6834f92c3cf948e7ab89e284bdae02c54ac9e5dd8e2efbd66da1bf9b5
                                                • Instruction Fuzzy Hash: 1862C231B18A4E4FDB98DF5888A16A973E2FF98300F1501A9E45AC72D6CE75ED428741
                                                Function 00007FFD9BA4AFDD Relevance: .9, Instructions: 862COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d24846447f3f4a6e48b0592ccf4ecbc175a995d7c6b6ca908e4a8151c4e8876a
                                                • Instruction ID: 9240bda7edb34126bf898879d8f6b2493409540027dff58d3a6fb7924b75d826
                                                • Opcode Fuzzy Hash: d24846447f3f4a6e48b0592ccf4ecbc175a995d7c6b6ca908e4a8151c4e8876a
                                                • Instruction Fuzzy Hash: 63527330B08A498FEB98EB2CC4A4B7577E2FF99300F5545B9E44DC72A6CE74E8418B41
                                                Function 00007FFD9BA49271 Relevance: .7, Instructions: 680COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e6d3ec082fbae77bdce0ad5d2f4e88452fc372fe94ea149f1638e210a7fc094
                                                • Instruction ID: 4954d3416a6785480cd2f7b603a993ed9c56fec2acd3fa23967348caf8ae1570
                                                • Opcode Fuzzy Hash: 3e6d3ec082fbae77bdce0ad5d2f4e88452fc372fe94ea149f1638e210a7fc094
                                                • Instruction Fuzzy Hash: 2322AF30B09A0D4FEBA8DB6D84A97B973E2FF99300F51417DD44EC32A2CE74A9468741
                                                Function 00007FFD9BA68E30 Relevance: .6, Instructions: 578COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ee9972bc158f4d3c96eacb921eb5310b90185f32c15b6a92593f1b4730e34c9
                                                • Instruction ID: 076b671412d0f3d67eb36cd56cc876c96bac3ba26e811876260c9c8f9f547019
                                                • Opcode Fuzzy Hash: 8ee9972bc158f4d3c96eacb921eb5310b90185f32c15b6a92593f1b4730e34c9
                                                • Instruction Fuzzy Hash: 7C025E70B1894D8FDB98EF68C4A5EA977E2FFA8340F114179E40DC3296DE64EC418780
                                                Function 00007FFD9BA63AF9 Relevance: .5, Instructions: 534COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2721345fec1a13e155f3548c3a6f62fdb4c3407b7fefb05ee4607f5fcc433d64
                                                • Instruction ID: b04617d148186e427406b16168c404d4d907e58b7a72c310731d589278ca128c
                                                • Opcode Fuzzy Hash: 2721345fec1a13e155f3548c3a6f62fdb4c3407b7fefb05ee4607f5fcc433d64
                                                • Instruction Fuzzy Hash: 67F12670B1DA4D8FEBA4EB6C84A567437D2FF98300B0505B9D04DC72E2DE69AD478341
                                                Function 00007FFD9BA4621F Relevance: .5, Instructions: 533COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c86f0608e0970c2fbd308927b64ba1b49456949b694bbee90cbc3be43fd3ccec
                                                • Instruction ID: 0ad773de999aad0962976d0cd12900a719b22a384743ceef9f4391d8f17bbd80
                                                • Opcode Fuzzy Hash: c86f0608e0970c2fbd308927b64ba1b49456949b694bbee90cbc3be43fd3ccec
                                                • Instruction Fuzzy Hash: 35025C30E18A1D8FEBA8DF58C4947B9B3E2FF98301F1545B9D44ED32A5DA74B9818B40
                                                Function 00007FFD9BA57C16 Relevance: .5, Instructions: 477COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d79fddab94b971f017fb1bcaa090395ce26f8705a0ddaaddd5cbae2dc74dea31
                                                • Instruction ID: 78d0f1fa8ff42cf999dbea866b0cc5d4ec2f18f937cac53cbeece4b049a8bc26
                                                • Opcode Fuzzy Hash: d79fddab94b971f017fb1bcaa090395ce26f8705a0ddaaddd5cbae2dc74dea31
                                                • Instruction Fuzzy Hash: EEF1C530609A8D8FEBA8DF68C855BF977D1FF54310F04426EE84DC7295CB749A458B82
                                                Function 00007FFD9BA58A0F Relevance: .4, Instructions: 428COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7851c738cf6f8ac834255052fc4d6773d14fca6c6fba077166ea14ca13b8c0d4
                                                • Instruction ID: f38de633dbbd9e99d73b0728300e68bbcc52f6918d57919681696f1b93965f3a
                                                • Opcode Fuzzy Hash: 7851c738cf6f8ac834255052fc4d6773d14fca6c6fba077166ea14ca13b8c0d4
                                                • Instruction Fuzzy Hash: EFE1B230A09A4D8FEBA8DF68C8657ED77D1FB54310F01422ED84DC7295DFB8AA408B81
                                                Function 00007FFD9BA4E6F9 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2749 7ffd9ba4e6f9-7ffd9ba4e7b9 call 7ffd9ba4e0e8 2763 7ffd9ba4e7bb-7ffd9ba4e7f7 2749->2763 2764 7ffd9ba4e7f8-7ffd9ba4e87e 2749->2764 2772 7ffd9ba4e884-7ffd9ba4e891 2764->2772 2773 7ffd9ba4e936-7ffd9ba4e93a 2764->2773 2774 7ffd9ba4e893-7ffd9ba4e8f4 SetWindowsHookExW 2772->2774 2773->2774 2778 7ffd9ba4e8fc-7ffd9ba4e935 2774->2778 2779 7ffd9ba4e8f6 2774->2779 2779->2778
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4111572734.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9ba40000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfaaaa91d665a83478144032e89661bc1118105cb09814fa1caba7d28e2bd66a
                                                • Instruction ID: b4e5f2477f0c01ac7c803f140ab366a874bc937ac0562895abba286a7cee145f
                                                • Opcode Fuzzy Hash: cfaaaa91d665a83478144032e89661bc1118105cb09814fa1caba7d28e2bd66a
                                                • Instruction Fuzzy Hash: EE714631B1DA4D4FDB68EB6C98665F9B7E1EF99310B0442BFD049C7297DE24A8028781
                                                Function 00007FFD9B7D3525 Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3051 7ffd9b7d3525-7ffd9b7d352f 3052 7ffd9b7d3571-7ffd9b7d35d8 3051->3052 3053 7ffd9b7d3531-7ffd9b7d3562 3051->3053 3059 7ffd9b7d35da-7ffd9b7d35df 3052->3059 3060 7ffd9b7d35e2-7ffd9b7d3614 DeleteFileW 3052->3060 3053->3052 3059->3060 3061 7ffd9b7d361c-7ffd9b7d364a 3060->3061 3062 7ffd9b7d3616 3060->3062 3062->3061
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4109333215.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 5462767fc94b4015a4d1651b12ee893937da22625433bb942eb66ce498b24b8a
                                                • Instruction ID: 2bd7f9b24b614ac6a9018da5b9cd306ce71b993349f198519c1eb312645ce632
                                                • Opcode Fuzzy Hash: 5462767fc94b4015a4d1651b12ee893937da22625433bb942eb66ce498b24b8a
                                                • Instruction Fuzzy Hash: AF41163190DB4C8FDB59DF6888596E97BF0FF96311F0542ABD049C71A2DA24A809C791
                                                Function 00007FFD9B7D3569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 3118 7ffd9b7d3569-7ffd9b7d35d8 3123 7ffd9b7d35da-7ffd9b7d35df 3118->3123 3124 7ffd9b7d35e2-7ffd9b7d3614 DeleteFileW 3118->3124 3123->3124 3125 7ffd9b7d361c-7ffd9b7d364a 3124->3125 3126 7ffd9b7d3616 3124->3126 3126->3125
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4109333215.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 1d3f35bcb4f1c16bac66cb6f9841f2fa20088f62f9a08502dac3c0b80d900177
                                                • Instruction ID: 7cfc8fb1434b9cd790aeb3f3b1c706afa0c1b00c50b3afaf7c294445ca98e7c2
                                                • Opcode Fuzzy Hash: 1d3f35bcb4f1c16bac66cb6f9841f2fa20088f62f9a08502dac3c0b80d900177
                                                • Instruction Fuzzy Hash: 3431E43190DB5C8FDB19DB588859AE9BBF0FFA6311F05426FD049D32A2CB74A805CB91
                                                Function 00007FFD9BB652F1 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H
                                                • API String ID: 0-2852464175
                                                • Opcode ID: ae87104d11d8d9150e5954212d92aa8ceb35f654d66beb3651123fbeaa7062c1
                                                • Instruction ID: d9a2403cfbd4960ffb7b65756376a970bd98cb1edde4f1b9042c2763146095ef
                                                • Opcode Fuzzy Hash: ae87104d11d8d9150e5954212d92aa8ceb35f654d66beb3651123fbeaa7062c1
                                                • Instruction Fuzzy Hash: CD21FB02B1EA4E4FF7B5A66C047927866C2EFD8564B5A01BAD41EC72F6ED19ED014300
                                                Function 00007FFD9BB6207D Relevance: .3, Instructions: 277COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62e5d9038dedbebf48f1756f20751da6c44caa7596ce38b4e895eac213acafea
                                                • Instruction ID: 2e57c5c567a92ab45df7460fd65e03218c11e8cfe89983c391286470b038edaa
                                                • Opcode Fuzzy Hash: 62e5d9038dedbebf48f1756f20751da6c44caa7596ce38b4e895eac213acafea
                                                • Instruction Fuzzy Hash: 7181AF11B1AFAA5FE7A597AC88A577972D6EF98700F460179D10CC32E3CE5CAE064381
                                                Function 00007FFD9BB60001 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8758863122a74c92947193aed2a93efe3ebff85822ceada03b253fe1b8056a2
                                                • Instruction ID: b45162fb495c1d3c982a92d011e892e1c0f07a22a405e6bce3785a9ac6b01f8e
                                                • Opcode Fuzzy Hash: a8758863122a74c92947193aed2a93efe3ebff85822ceada03b253fe1b8056a2
                                                • Instruction Fuzzy Hash: 4441E462A0EACD4FD76696684879BB13FE1EF66620B4A02FFD08DC71E3D905AD418341
                                                Function 00007FFD9B6BED65 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4109071859.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b6bd000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 93b7ec306b41aba7746d4ffc68d69bfe7b27705eb8a769d5ce9fed7243bd98d9
                                                • Instruction ID: bed7eb6b3235ae02ec0935f88201a97ed2268a9f6c2670f94ca9785107feab77
                                                • Opcode Fuzzy Hash: 93b7ec306b41aba7746d4ffc68d69bfe7b27705eb8a769d5ce9fed7243bd98d9
                                                • Instruction Fuzzy Hash: E841087150EBC44FD7A68B2898558513FF0EF56320B1506DFD0D8CF1A3C664B846CB92
                                                Function 00007FFD9BB6014A Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3fb75af149fffd0c9a82d1d6cd018d9310cc5112f131f1d8fbfa687e763b34d
                                                • Instruction ID: af701eed28c746f98f50391fa52c6a212298f18b88835789068fe6f53286b60c
                                                • Opcode Fuzzy Hash: a3fb75af149fffd0c9a82d1d6cd018d9310cc5112f131f1d8fbfa687e763b34d
                                                • Instruction Fuzzy Hash: 1D314722B1EA8D4FE798DB6D44B66B477C1FF65720B4501BDE48EC32E2DD08AC428342
                                                Function 00007FFD9BB60676 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b4327fbad28dc79eb5865793d23f1bc2eccf7da44bd0e42bbe80966f419acb1
                                                • Instruction ID: 5bacaaf7061f80501f15631b20cedfe817d90e263ad570c9d64e4131ca2d7f2b
                                                • Opcode Fuzzy Hash: 2b4327fbad28dc79eb5865793d23f1bc2eccf7da44bd0e42bbe80966f419acb1
                                                • Instruction Fuzzy Hash: C2314862B1DA8D4FE7989A5C58767B477C1FBA4724F85017DD48EC32E7DC18AC018342
                                                Function 00007FFD9BB62AAF Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af3f15bb833e88cd4b8a5d41d1c0c80fee88135c716a828acac3f4e9f7bcdd27
                                                • Instruction ID: b55b718965e7ec79d0bdbb673827bb5fd5f74b37a68f6099c08b126a6155fc86
                                                • Opcode Fuzzy Hash: af3f15bb833e88cd4b8a5d41d1c0c80fee88135c716a828acac3f4e9f7bcdd27
                                                • Instruction Fuzzy Hash: 6121BB12B1AE4F4FF7B996AC146527C62C3EFD86A475A02BAD00EC72FAED15DD424340
                                                Function 00007FFD9BB635BA Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f20ccceef5634b10f045bb4d2f8c475626ff39d28bdb0070bb29bb6035100d24
                                                • Instruction ID: 9bfafe191ce51c257d2ac8ca18efa903b59122326552527476a3a922a506e53a
                                                • Opcode Fuzzy Hash: f20ccceef5634b10f045bb4d2f8c475626ff39d28bdb0070bb29bb6035100d24
                                                • Instruction Fuzzy Hash: FB21D712B1EE4F0FE7B9966C146567862C2EFD42A479A017AD00EC33E6ED19ED424341
                                                Function 00007FFD9BB63D9F Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b58132004598916bc233b67b2d57ba0f7ef74a447f6f0373ec7e24356cf70db
                                                • Instruction ID: 5183b397b0e65689843ccea1cee17846eab22996f039650b293a44aca203dcdb
                                                • Opcode Fuzzy Hash: 9b58132004598916bc233b67b2d57ba0f7ef74a447f6f0373ec7e24356cf70db
                                                • Instruction Fuzzy Hash: 7421C312B1EE4F4FF7B6966C087567866C2EFD826475A41BAD00EC32E7ED19ED024340
                                                Function 00007FFD9BB63293 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18faa8e6d3f38c1a89486569908b59df8b648ca55474a279e25041a89105d9ef
                                                • Instruction ID: 4af1bd67e92d5ab29e136b747f0d8fbe0be0a1299d175be7b23c5edbe335588c
                                                • Opcode Fuzzy Hash: 18faa8e6d3f38c1a89486569908b59df8b648ca55474a279e25041a89105d9ef
                                                • Instruction Fuzzy Hash: 0B21B612B1AE4F4FF7B5A6AC047567872C2EFD86A4B5A417AD00EC32F6ED19ED424340
                                                Function 00007FFD9BB65090 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b9e7f35421260eae3f70c80b8131004b013eecdeea7af25ecd5434a23a1d69d
                                                • Instruction ID: 981f293ba77bfe6a54ee2831a34bd14e70e729683cab68537eed236c7eff5429
                                                • Opcode Fuzzy Hash: 0b9e7f35421260eae3f70c80b8131004b013eecdeea7af25ecd5434a23a1d69d
                                                • Instruction Fuzzy Hash: 3B21B412B1AE4F4FE7B5966C047567862C2FFD8264B9A41BAD00EC72E6ED19ED024380
                                                Function 00007FFD9BB643EE Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8845b08d1635ee69f9ad5104a1dccb0c6ee4b94aa525f531876edc45a461c464
                                                • Instruction ID: da3264e5e1cb8a73c44eb077ff8d853bad5e53ae97418aa8588ba96e47a05295
                                                • Opcode Fuzzy Hash: 8845b08d1635ee69f9ad5104a1dccb0c6ee4b94aa525f531876edc45a461c464
                                                • Instruction Fuzzy Hash: 5F21F812B1EE4F0FF7B9A66C047517461C2EFD866479A027ED00EC32E6ED19ED024340
                                                Function 00007FFD9BB639C2 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b402e8d54debed3bb33f12f96d1af435934bbaf6cb866178ae09644d92a53044
                                                • Instruction ID: 5d4f601ac76f8bbd7a44d18cb58a97f3bc6f71aa9cab9e3f9f10363b1357b37c
                                                • Opcode Fuzzy Hash: b402e8d54debed3bb33f12f96d1af435934bbaf6cb866178ae09644d92a53044
                                                • Instruction Fuzzy Hash: 51218812B1AE4E4FE7B5A66C146527876C2EFD856475A02BBD00EC33EAED25ED424340
                                                Function 00007FFD9BB6292E Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b07cbc2df43bf42777c20f0286aa4049073664f2d3c310b0db91105a605e2f7f
                                                • Instruction ID: 9f797a032975798a078c60844abb34e060fee068f6e4155754c5eebe9f67563d
                                                • Opcode Fuzzy Hash: b07cbc2df43bf42777c20f0286aa4049073664f2d3c310b0db91105a605e2f7f
                                                • Instruction Fuzzy Hash: 6721CB11B1AE4F4FF7B5A66C046567861C2EFD866479A42BAD40EC33F7ED19ED024340
                                                Function 00007FFD9BB6555F Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec65cf9c34cea8a73dfd375ea5c9994f9d3dfc974426601a2bfe69dbb48b9183
                                                • Instruction ID: e6682e3a9bb2cd0b0cc2d1980f5bc215a294a7c4f1577e1cf2edfd06635412d0
                                                • Opcode Fuzzy Hash: ec65cf9c34cea8a73dfd375ea5c9994f9d3dfc974426601a2bfe69dbb48b9183
                                                • Instruction Fuzzy Hash: 4221CB12B1AE4E4FF7B5966C047967861C3FFD826479A02BAD40EC73E6ED19ED024340
                                                Function 00007FFD9BB63762 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08efab67f14344d7f57a3a590887c77507ce1123b37e25621b05777956ce85de
                                                • Instruction ID: 4f6b4188feafbfe1dd0016d68b29349f7cc912fc88859425b7bdf4420e73b1a8
                                                • Opcode Fuzzy Hash: 08efab67f14344d7f57a3a590887c77507ce1123b37e25621b05777956ce85de
                                                • Instruction Fuzzy Hash: 8821F811B1AE4E4FF7B9A66C146567971C3EFD826479A02BAD40EC33E6ED29ED024300
                                                Function 00007FFD9BB64E48 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc618f0e25938716751b78adf792bf21a8010f7e22281e0a1a7d801a223905a5
                                                • Instruction ID: cc0c5dc95c6f39cdece030da7f2f3a4d9c529f1270207a1c669a8c84bf555ebd
                                                • Opcode Fuzzy Hash: cc618f0e25938716751b78adf792bf21a8010f7e22281e0a1a7d801a223905a5
                                                • Instruction Fuzzy Hash: C621F811B1AE4F4FE7B9A66C04B527861C2EFD816475A42BDD01EC33F6ED29ED024340
                                                Function 00007FFD9BB63CF1 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83515d40bad65b90e10509b99e8ccfa65531aeb8cd98babab23e60fc50b8bf74
                                                • Instruction ID: aa07a4e9087ee0f623645b2bca65431ed23580e05914627dbf6f4f3c6be750fb
                                                • Opcode Fuzzy Hash: 83515d40bad65b90e10509b99e8ccfa65531aeb8cd98babab23e60fc50b8bf74
                                                • Instruction Fuzzy Hash: 3E210A12B1EE4F4FF7B5A66C0465278B1C2EFD826479A42BAD01EC32E6DD29DD424340
                                                Function 00007FFD9BB626DA Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42e9a0bffa841868df78015066ff1a6920f8ff6fb3192c3b7b197b9d24d82c82
                                                • Instruction ID: 362d28214ea9e87d6a9bf21e424107a52bd0a628e29e6f58715edd2396b84b6f
                                                • Opcode Fuzzy Hash: 42e9a0bffa841868df78015066ff1a6920f8ff6fb3192c3b7b197b9d24d82c82
                                                • Instruction Fuzzy Hash: 1921D712B1AE4E0FF3B996AC147567961C3EFD8264B9A41BAD40EC33F6DC19ED464340
                                                Function 00007FFD9BB63B82 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 515d7cf157f129959b0da72a0a07fd23b19e0e63f7814f7641ab84a42d049102
                                                • Instruction ID: 62f1c60c2bbd3dbc5e5c0151af4d6473bf24b189371df737f37afac48407b38e
                                                • Opcode Fuzzy Hash: 515d7cf157f129959b0da72a0a07fd23b19e0e63f7814f7641ab84a42d049102
                                                • Instruction Fuzzy Hash: 0B11E622B1EE4F4FF7B5966C0474278A6C2EFC922475E01BAD44EC32E6ED2ADC024300
                                                Function 00007FFD9BB6597E Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e66d835acb512ce4d87c15cd28dc180975034c35ccea8d8072ba936c4a26668
                                                • Instruction ID: d9b11e654533260a95a7b1b06d469ac3f3fa4da45c631c4dcd83b774d7367ec3
                                                • Opcode Fuzzy Hash: 6e66d835acb512ce4d87c15cd28dc180975034c35ccea8d8072ba936c4a26668
                                                • Instruction Fuzzy Hash: 4611B61271AE4E4FF7B9A66C1465678A2C2EFC422475A02BAD41EC73E6ED29ED424300
                                                Function 00007FFD9BB65330 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e53e8af7924bd2055ab71fa37b7a6253707befe7aaef05e9e205d9a4440930b1
                                                • Instruction ID: becc8377f6cf0208b0270805c7e7aba46eff6d89cb17d9eece6b9f71cda7013c
                                                • Opcode Fuzzy Hash: e53e8af7924bd2055ab71fa37b7a6253707befe7aaef05e9e205d9a4440930b1
                                                • Instruction Fuzzy Hash: FF11C81271AE4E4FF7B5966C1474678A2C2EFC8664B5A02BAD41EC73E6ED29ED024340
                                                Function 00007FFD9BB65268 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 246bb5f6a098962a3c6b6c2ffc70af4e1bd73288f484e3c7c1ca23b7056ee322
                                                • Instruction ID: e71532717cfa325c8838c3d164687da58ffd322c663524bedcc74536a601053e
                                                • Opcode Fuzzy Hash: 246bb5f6a098962a3c6b6c2ffc70af4e1bd73288f484e3c7c1ca23b7056ee322
                                                • Instruction Fuzzy Hash: 9B11EB1271AE4F4FF7F5966C1474678B1C2EFD826475A01B9D44EC72E6ED19DD018300
                                                Function 00007FFD9BB62342 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57aba3687788e29547b749cc289f9abd97508715ca9a8587515fc105830e84ef
                                                • Instruction ID: c83f4e3fc2ffa16b16659018b7e2d6986cead851c11be187401807b1cc39c34c
                                                • Opcode Fuzzy Hash: 57aba3687788e29547b749cc289f9abd97508715ca9a8587515fc105830e84ef
                                                • Instruction Fuzzy Hash: E611B123A0FBCA4FE76387B858A01607FA1AF9712474E01FBD098CB1F7D919AD068311
                                                Function 00007FFD9BB60EE1 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4112333614.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9bb60000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                • Instruction ID: c277094a63c695ef2070010399b23b5bf5c8e96c6e2dfb846ddffadd09b4ac22
                                                • Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                • Instruction Fuzzy Hash: 75D0C711B1A5154BF21411CC68623F8B185DBC8754F511237D409C62E6C8CE6DC542C2

                                                Non-executed Functions

                                                Function 00007FFD9B7DF1F2 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.4109333215.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_7ffd9b7d0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4298868b97980445e5d5c272daf9e2cfb6694a7b22e7685cbcfb5ae1d9f0cac8
                                                • Instruction ID: 3e5e262c76ada3a934f261909915bcfe50caa2483cc820e77c58e5ed09571075
                                                • Opcode Fuzzy Hash: 4298868b97980445e5d5c272daf9e2cfb6694a7b22e7685cbcfb5ae1d9f0cac8
                                                • Instruction Fuzzy Hash: CA31521FF091E216D715F3BCB5B68ED3B60DF8227E71982F3D19D4D0A79C04208A4295

                                                Executed Functions

                                                Function 00007FFD9B7F0B78 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;M_I
                                                • API String ID: 0-1276053120
                                                • Opcode ID: f6cc38a9e5b8432612579d4edf6022de715f31de580790dec61726522bd4ba9f
                                                • Instruction ID: b59b2e6b992af11cdd90efd6ee4613f70f92dad391b28adc8028b8584692d022
                                                • Opcode Fuzzy Hash: f6cc38a9e5b8432612579d4edf6022de715f31de580790dec61726522bd4ba9f
                                                • Instruction Fuzzy Hash: E6A16D25B0F6C94BE3249B6C68745A87FE1FF91704B9542FAE488473FBD928A801C385
                                                Function 00007FFD9B7F15FA Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .M_^
                                                • API String ID: 0-2820351210
                                                • Opcode ID: 747a9978078ed1ccac7da01fe2f52fb743bbbd62d9bff7fe183f6c7e5ed22da0
                                                • Instruction ID: 51d5e58b6e6bdf569144e0e611c36c9901932db9e3842cca4da8460930d28796
                                                • Opcode Fuzzy Hash: 747a9978078ed1ccac7da01fe2f52fb743bbbd62d9bff7fe183f6c7e5ed22da0
                                                • Instruction Fuzzy Hash: 0121F316B0EA9D0FD365AB6C9C751F47BE0EF96221B0E03F7C089C71A3DC0859064394
                                                Function 00007FFD9B7F2188 Relevance: .3, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b0898392373bc9f4e67657cd2d4c62d718052f06358e1a5abac5462a017e75e
                                                • Instruction ID: 852b0771116f41139ac4caff365c094a5b5b5a126515ffe193206a1ee34f457d
                                                • Opcode Fuzzy Hash: 2b0898392373bc9f4e67657cd2d4c62d718052f06358e1a5abac5462a017e75e
                                                • Instruction Fuzzy Hash: 2491D731B19E4E4FEBA5EB6884657B977D2EF94340F4502B5E40DC72F6DD28AD028384
                                                Function 00007FFD9B7F2DE9 Relevance: .2, Instructions: 235COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bbb51378bc6f6c2439ce93a787378f68897c05e67a30859f93e70c635eb830a
                                                • Instruction ID: 26b65636d940d049fea7ba6f761283d344dde8eaf20f2f1ba635703a5dd921ab
                                                • Opcode Fuzzy Hash: 3bbb51378bc6f6c2439ce93a787378f68897c05e67a30859f93e70c635eb830a
                                                • Instruction Fuzzy Hash: 9C619861B1990D4FDB98EBA884757FCB7D2EF98310F554279E05ED32E6CE146C428780
                                                Function 00007FFD9B7F2729 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb08ab80d2e4b3ddc1424fc24ec99ee12c08e6c59e51040b984c3f6b3efdd650
                                                • Instruction ID: 25e576ec286d16fd034b52a5ede85083fb5ce4a3c7ff578371ddd78864ade4c3
                                                • Opcode Fuzzy Hash: cb08ab80d2e4b3ddc1424fc24ec99ee12c08e6c59e51040b984c3f6b3efdd650
                                                • Instruction Fuzzy Hash: F4415F21B1DB490FE75897AC94657B97BD1EF94314F40027EF05EC32E2CD286D028796
                                                Function 00007FFD9B7F24E8 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1634cbe9db76019001b989e22ba739e7b2b69ce1c415e24a2bc02eafe9200d6
                                                • Instruction ID: 502b4002d40c0bc4b823c136b4c17dcc7e92b697def8230310fcf5ca8573f9d6
                                                • Opcode Fuzzy Hash: d1634cbe9db76019001b989e22ba739e7b2b69ce1c415e24a2bc02eafe9200d6
                                                • Instruction Fuzzy Hash: C0418628B19D1E0FEA94F6685075AFD6AD3FB94280B9145B4E01DD36EACD2CDD128384
                                                Function 00007FFD9B7F196D Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a9203ffc76b708750fc55d526d1737f16222c6e3ba512f8ec1065c4b5c9aa6f
                                                • Instruction ID: 1f014d5dbb9f7ffc1aed9ab29263348cb992171c3d9331e84f82cf3ed4282a8c
                                                • Opcode Fuzzy Hash: 3a9203ffc76b708750fc55d526d1737f16222c6e3ba512f8ec1065c4b5c9aa6f
                                                • Instruction Fuzzy Hash: C3210331B0E6864FDB55DB6880D55A57B91EF51310F1683FAC0588B5BBD928AC86C3C0
                                                Function 00007FFD9B7F1BF5 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e335cad53a13f00281d11b93003801d363ca8ad1683eb926aa3c173dc2e2672f
                                                • Instruction ID: c454446dbe73dc916c316c787d0ac18b76907c5003c05beb7bd475e43f8ab23f
                                                • Opcode Fuzzy Hash: e335cad53a13f00281d11b93003801d363ca8ad1683eb926aa3c173dc2e2672f
                                                • Instruction Fuzzy Hash: 4531B4386099894FE358E71CB0A9AE97FB1BBD4308FC045E5E418A33DACA3CA415C751
                                                Function 00007FFD9B7F32DD Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de179a8debc0b43d30450df6ffab21b8c6e31cfbc3609e80b70790ca1631ba3c
                                                • Instruction ID: 2fc2d9db848a8cd12dab870a45ae1dea4751e9169f75d452905c4003e918b7f1
                                                • Opcode Fuzzy Hash: de179a8debc0b43d30450df6ffab21b8c6e31cfbc3609e80b70790ca1631ba3c
                                                • Instruction Fuzzy Hash: BE21F431F19A5D4FD794EB6898699A877D1FF58305B4601B6E40DC72A6DE28EC00C781
                                                Function 00007FFD9B7F0872 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b78952f713ca394bfd7df78c62711959cd1c4ee7c320480face10f6c97eedb9f
                                                • Instruction ID: 8835550423c541dac0ba3bea576b9a6857f6700b304cd96f5c49c310ffa0d169
                                                • Opcode Fuzzy Hash: b78952f713ca394bfd7df78c62711959cd1c4ee7c320480face10f6c97eedb9f
                                                • Instruction Fuzzy Hash: C221E792B1EBC64FE355AB644835AA57FA1EF51740F4506FAD099C72E7EC1828048391
                                                Function 00007FFD9B7F3491 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b51c72c8ae40254496845ac2b24cabf67b029a8f57b4a019449c540a60a059cd
                                                • Instruction ID: 7749674ce60c721377dc53477067dcc175d920c7ee7382345ab4a2c6dd7f0839
                                                • Opcode Fuzzy Hash: b51c72c8ae40254496845ac2b24cabf67b029a8f57b4a019449c540a60a059cd
                                                • Instruction Fuzzy Hash: CB117D21B0EB850FE395E6786C698F57FD0DF9022470503BBE44CC31B3CD0895868391
                                                Function 00007FFD9B7F28D5 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 396a8372869d3e6d24a05ee1bee0cc4a3461b30504077316cf957504feedd9ce
                                                • Instruction ID: 2781bcd954107f2cb66156e1b87b5396acbd94ebed4a636039cb44bfe43b42de
                                                • Opcode Fuzzy Hash: 396a8372869d3e6d24a05ee1bee0cc4a3461b30504077316cf957504feedd9ce
                                                • Instruction Fuzzy Hash: 5B11C620B0EBCD0FE347E37858A8AA43FD1EF46215B0A41E7E488CB0B7C9584945C342
                                                Function 00007FFD9B7F0DA9 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46c167362b41d3dc5a957dd829cf78b58e5c3395d2033a59e68262e0f8e2d12e
                                                • Instruction ID: 24796269d54d89061df1a1df490b55fd6b77a638835a8a731d82387323ecd581
                                                • Opcode Fuzzy Hash: 46c167362b41d3dc5a957dd829cf78b58e5c3395d2033a59e68262e0f8e2d12e
                                                • Instruction Fuzzy Hash: 73014E5371AD8E0ADBA5A62C54A59F67B82DBD5710B0506B6D40DC23B6DD18BD4243C0
                                                Function 00007FFD9B7F1E58 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 438500eb9df471dce427ea4611a325c169b5f8130cddda9fa0823cb93a827a76
                                                • Instruction ID: b6ee8f7ec8c951da5c002d9f40693b11a758fce38e8021a804c49389cc8aa791
                                                • Opcode Fuzzy Hash: 438500eb9df471dce427ea4611a325c169b5f8130cddda9fa0823cb93a827a76
                                                • Instruction Fuzzy Hash: D2F0F022F1981D0FE754F6AD54ECAFA7BD1DBAC22671502B7E40CC72B7DC0498428381
                                                Function 00007FFD9B7F1E70 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a33c4f289f0f918d9ca77e1d5369cc6352d16bd8c698e3263572bb0c8931fbce
                                                • Instruction ID: 460693d778915d3dc3532e3c8fef514c5ede74a2b54f19813b0bd8c65b91c4a7
                                                • Opcode Fuzzy Hash: a33c4f289f0f918d9ca77e1d5369cc6352d16bd8c698e3263572bb0c8931fbce
                                                • Instruction Fuzzy Hash: C1E09B21F19C1D1FA794F6AD44DDF7966C1DBAC2117510576E41CC72B6DC149C418381
                                                Function 00007FFD9B7F094D Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 264275a600972998d3d8d45f3add922ad5f20d2365c9327ef6caecc6211609c7
                                                • Instruction ID: dceda6915c54ad741f89ddeebac1050784350ac23a6cb71f09d814d11a86b593
                                                • Opcode Fuzzy Hash: 264275a600972998d3d8d45f3add922ad5f20d2365c9327ef6caecc6211609c7
                                                • Instruction Fuzzy Hash: E7E02622F1A91A57E394337820364FC2581CF48690B41053AE40DC62EBEC1D6D420284
                                                Function 00007FFD9B7F2DC8 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1700131975.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b7f0000_RuntimeBroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb34cfd6402c0cf2cd3d1552bc79771280b33ffe8363ad7088facd0752a6bcfc
                                                • Instruction ID: 4f5a2ac70440ddbf5dd8d05bae4b54741cff1a685b8801eb762a0e07459db911
                                                • Opcode Fuzzy Hash: eb34cfd6402c0cf2cd3d1552bc79771280b33ffe8363ad7088facd0752a6bcfc
                                                • Instruction Fuzzy Hash: 99C01262B16E4E4BDB65EFC824912F87691FFC83807D50239A008E2175CF241551A284