Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ny9LDJr6pA.exe

Overview

General Information

Sample name:ny9LDJr6pA.exe
renamed because original name is a hash value
Original sample name:196e2ae082841b1ab98dcfa445cf2704.exe
Analysis ID:1584624
MD5:196e2ae082841b1ab98dcfa445cf2704
SHA1:4af7f4bb970331ae1eb569100de98c93b61c5459
SHA256:c3e669b477d3e633bf336fc5d2506c86c8fc61b4d0be36fe2bbe3b361cf70a70
Tags:exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ny9LDJr6pA.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\ny9LDJr6pA.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)
    • schtasks.exe (PID: 7544 cmdline: "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Runtime Broker.exe (PID: 7600 cmdline: "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)
      • schtasks.exe (PID: 7688 cmdline: "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Runtime Broker.exe (PID: 7664 cmdline: "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "91.160.181.237:4782;91.160.181.237:4783;", "SubDirectory": "Runtime Broker", "InstallName": "Runtime Broker.exe", "MutexName": "bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61", "StartupKey": "Runtime Broker", "Tag": "database", "LogDirectoryName": "Logs", "ServerSignature": "AXyAB9i/QMJIU4gAdq1J+oniXOume3lU0T3mxu8IbdQdZszooY4hH9oIzunY7uWEeH5OlXOXfcuCfe0kKFfGEKM7XRr8jCBOkPTdS45c6qEpqV6p7Xgf5apTLyQ+nhcpX2Kj5wmcb7/d/IkQ0EYvseR15ZhRZ9DhW2WyhUtb9PBZLtFfMk/4PXSr84aAVdYq0WtitFSDymQ93Y2bBvw4ONybXHQnu7GCtw37EfycClx3qEYXr3UWQqzNpk8zvgRFsC0DH1Jlj7X8pkiz+ZB5zxx38ZPAHOjO5vwkOzJzPmmT2VCkaw/6LYXGPeIz2GG76GtNcjP/yvlzB+pg9kOyptgH97tiKY5rux6cvIpEYY881bj6rgSmp6fexC9Tlo+0eZQJkuo0m0KnckjFf8jCCNsfzOy3W/XhlvZrwRBxTqCESNU8Pgl4/VUNQb97J7g2+qHvQP5YICJuwDKWsupSooNlMUbj28SdfjWHV4FqN0trPxfkI/aLYsvObLVm+XIkGE+9IqB+R01Fobp2B4AzvGiFS2k/lESyFiCTWOEpRL0rgyIM1/he6JGyo+bhq72+IZAehI6IJigodhZeXHPXbzg6gCjVhUJw1g+B2PVRgy+GTHcRYD+b3oX7L26Hih+/pEK1590qFQa8k4VPLbZ8BYEVAP/086SQFh+6LCqAW+A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJVSuPyL8hJWIKlG45dAzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDcwMjEyNDQyMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr0icLbTG7+EbVFBiDOtG0P/teScd/9W++vB3ud2IzAipEreS6eWe1tortnmxqOzd1naorhWrkJFOKd8ZvM97F7O2KjSUkAWPLy1ZtN8VVaBVyzeQGMcy052/AfS+9FPdgoWNjVhBO8BqUlRadFqtQ0YkSh3ljPOeCGoDcwFjbqpg4afzwhqeuubqFaAX1aglP+VXsZ0tqJgVR3A6tSoYNgl2l+qylC2tSYKtlCEVoCCAxiQWUrKIk03DkYW427jYo08qAVUaFdOvuI2vbtKn6qZVQ7teLgc1vUHyQYINFg2OipfBXvuwQ8ZAXq9kwN0UIy+WnI4cVUClWZMNPXZ+V3zkK98liNZZZDSbLc9OAGJqk6ZKNs1sczaMcMKQv/jo4ZgWyEYcJMvKT2yY6kG+rZ0xmahx8NjF+9r612Lhnh7/V67N95Sd9onoq6d9z8gokcu39xvtwTVFGzPUo2stLWEQDj0A01v/o4oFr99/v1a8yYgGsLMLC1LMJnftFqIY8jwUOMASGNP6REgR8JUt2NWI/keX7UKYT6W6B9r45w/JxrTHipkrHOMA0cRXF2G2c2yUo7kg8lugQodWcQHx3ppM99WgeM35CJbOPVow4j7lQhDM9Nt8Xbx+GmTzRxxL9nlAlTc/6s532MGcWRpG6GCtmdSkL1SRav0b6bJX2p8CAwEAAaMyMDAwHQYDVR0OBBYEFGkT/G3gZe2DglfmM3uVPBg+AI8xMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADIYLKX0Ilznp0aMkI/pP0gWscsfOHfPtdar81lsIoszY0F621AczluG1osi00pboN9K9zb9+HmOSi9MsFHu7OaDhZBmw0ebTZVccX8K/lVhbb28nG0Jwk80pUGbq6AoZY8AssHfaPq4j8A5cArI5eg6DPvT8ijjuq1vTln4EjRuZclCKMuGw6Vx/1SinCvaTff9GPxYn2/egLvNxLrNbi/L1UYfltIBXvvIECtQ4X45pPTVE9UBpSS2OMYxzpESZD0HFqdm5IZZ7sL8pJAo2/l4HqijJk1JCsljC//IABz9KneIRO0pQKRmVXTF9L2qGLse5bYd6RvSOqgromnz9wtHljZy9oRKzwqbfYAH/M/M6tbzIztff/TYw8Cuj/7lPDOHLxzepH04wvjjaceZRaM0lyHmB42qIuSvrvWo1Cg4YP3RnIdv2NqqpUkaPpO3ZX3LGQ1JFmqjDZkgOzjLlfAPOCX7Okalt/KrAhl8FxKY6BvdQaFYL746DAeT89aCwBHwnxWokLE2t9NBOpVVNRpDJ9XnwBEx0qDyeqXe7KGpR3ZdveyviEz/qdXSgw++q7/WRFuzWYGwOXZrSpfBT+W29JDz9HWEYzdvhPmL984TRQ0R3TZzYZct6uiArNb6rT+A+KWFDzJc+PB2MW1ToFDeQ28BB3ugpS3OSh/vfuDs"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ny9LDJr6pA.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    ny9LDJr6pA.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      ny9LDJr6pA.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28eed7:$x1: Quasar.Common.Messages
      • 0x29f200:$x1: Quasar.Common.Messages
      • 0x2ab816:$x4: Uninstalling... good bye :-(
      • 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      ny9LDJr6pA.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadc8:$f1: FileZilla\recentservers.xml
      • 0x2aae08:$f2: FileZilla\sitemanager.xml
      • 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab096:$b1: Chrome\User Data\
      • 0x2ab0ec:$b1: Chrome\User Data\
      • 0x2ab3c4:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab618:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6d2:$b5: YandexBrowser\User Data\
      • 0x2ab740:$b5: YandexBrowser\User Data\
      • 0x2ab414:$s4: logins.json
      • 0x2ab14a:$a1: username_value
      • 0x2ab168:$a2: password_value
      • 0x2ab454:$a3: encryptedUsername
      • 0x2fd3b0:$a3: encryptedUsername
      • 0x2ab478:$a4: encryptedPassword
      • 0x2fd3ce:$a4: encryptedPassword
      • 0x2fd34c:$a5: httpRealm
      ny9LDJr6pA.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab900:$s3: Process already elevated.
      • 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords
      • 0x278c92:$s5: GetKeyloggerLogsDirectory
      • 0x29e95f:$s5: GetKeyloggerLogsDirectory
      • 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\System32\Runtime Broker\Runtime Broker.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Windows\System32\Runtime Broker\Runtime Broker.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Windows\System32\Runtime Broker\Runtime Broker.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28eed7:$x1: Quasar.Common.Messages
          • 0x29f200:$x1: Quasar.Common.Messages
          • 0x2ab816:$x4: Uninstalling... good bye :-(
          • 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Windows\System32\Runtime Broker\Runtime Broker.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadc8:$f1: FileZilla\recentservers.xml
          • 0x2aae08:$f2: FileZilla\sitemanager.xml
          • 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab096:$b1: Chrome\User Data\
          • 0x2ab0ec:$b1: Chrome\User Data\
          • 0x2ab3c4:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab618:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6d2:$b5: YandexBrowser\User Data\
          • 0x2ab740:$b5: YandexBrowser\User Data\
          • 0x2ab414:$s4: logins.json
          • 0x2ab14a:$a1: username_value
          • 0x2ab168:$a2: password_value
          • 0x2ab454:$a3: encryptedUsername
          • 0x2fd3b0:$a3: encryptedUsername
          • 0x2ab478:$a4: encryptedPassword
          • 0x2fd3ce:$a4: encryptedPassword
          • 0x2fd34c:$a5: httpRealm
          C:\Windows\System32\Runtime Broker\Runtime Broker.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab900:$s3: Process already elevated.
          • 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords
          • 0x278c92:$s5: GetKeyloggerLogsDirectory
          • 0x29e95f:$s5: GetKeyloggerLogsDirectory
          • 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Process Memory Space: ny9LDJr6pA.exe PID: 7508JoeSecurity_QuasarYara detected Quasar RATJoe Security
                  Process Memory Space: Runtime Broker.exe PID: 7600JoeSecurity_QuasarYara detected Quasar RATJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.ny9LDJr6pA.exe.690000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.ny9LDJr6pA.exe.690000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.ny9LDJr6pA.exe.690000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28eed7:$x1: Quasar.Common.Messages
                        • 0x29f200:$x1: Quasar.Common.Messages
                        • 0x2ab816:$x4: Uninstalling... good bye :-(
                        • 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.ny9LDJr6pA.exe.690000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadc8:$f1: FileZilla\recentservers.xml
                        • 0x2aae08:$f2: FileZilla\sitemanager.xml
                        • 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab096:$b1: Chrome\User Data\
                        • 0x2ab0ec:$b1: Chrome\User Data\
                        • 0x2ab3c4:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab618:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6d2:$b5: YandexBrowser\User Data\
                        • 0x2ab740:$b5: YandexBrowser\User Data\
                        • 0x2ab414:$s4: logins.json
                        • 0x2ab14a:$a1: username_value
                        • 0x2ab168:$a2: password_value
                        • 0x2ab454:$a3: encryptedUsername
                        • 0x2fd3b0:$a3: encryptedUsername
                        • 0x2ab478:$a4: encryptedPassword
                        • 0x2fd3ce:$a4: encryptedPassword
                        • 0x2fd34c:$a5: httpRealm
                        0.0.ny9LDJr6pA.exe.690000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab900:$s3: Process already elevated.
                        • 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278c92:$s5: GetKeyloggerLogsDirectory
                        • 0x29e95f:$s5: GetKeyloggerLogsDirectory
                        • 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-06T04:17:02.860816+010020355951Domain Observed Used for C2 Detected91.160.181.2374782192.168.2.449730TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-06T04:17:02.860816+010020276191Domain Observed Used for C2 Detected91.160.181.2374782192.168.2.449730TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: ny9LDJr6pA.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: ny9LDJr6pA.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "91.160.181.237:4782;91.160.181.237:4783;", "SubDirectory": "Runtime Broker", "InstallName": "Runtime Broker.exe", "MutexName": "bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61", "StartupKey": "Runtime Broker", "Tag": "database", "LogDirectoryName": "Logs", "ServerSignature": "AXyAB9i/QMJIU4gAdq1J+oniXOume3lU0T3mxu8IbdQdZszooY4hH9oIzunY7uWEeH5OlXOXfcuCfe0kKFfGEKM7XRr8jCBOkPTdS45c6qEpqV6p7Xgf5apTLyQ+nhcpX2Kj5wmcb7/d/IkQ0EYvseR15ZhRZ9DhW2WyhUtb9PBZLtFfMk/4PXSr84aAVdYq0WtitFSDymQ93Y2bBvw4ONybXHQnu7GCtw37EfycClx3qEYXr3UWQqzNpk8zvgRFsC0DH1Jlj7X8pkiz+ZB5zxx38ZPAHOjO5vwkOzJzPmmT2VCkaw/6LYXGPeIz2GG76GtNcjP/yvlzB+pg9kOyptgH97tiKY5rux6cvIpEYY881bj6rgSmp6fexC9Tlo+0eZQJkuo0m0KnckjFf8jCCNsfzOy3W/XhlvZrwRBxTqCESNU8Pgl4/VUNQb97J7g2+qHvQP5YICJuwDKWsupSooNlMUbj28SdfjWHV4FqN0trPxfkI/aLYsvObLVm+XIkGE+9IqB+R01Fobp2B4AzvGiFS2k/lESyFiCTWOEpRL0rgyIM1/he6JGyo+bhq72+IZAehI6IJigodhZeXHPXbzg6gCjVhUJw1g+B2PVRgy+GTHcRYD+b3oX7L26Hih+/pEK1590qFQa8k4VPLbZ8BYEVAP/086SQFh+6LCqAW+A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJVSuPyL8hJWIKlG45dAzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDcwMjEyNDQyMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr0icLbTG7+EbVFBiDOtG0P/teScd/9W++vB3ud2IzAipEreS6eWe1tortnmxqOzd1naorhWrkJFOKd8ZvM97F7O2KjSUkAWPLy1ZtN8VVaBVyzeQGMcy052/AfS+9FPdgoWNjVhBO8BqUlRadFqtQ0YkSh3ljPOeCGoDcwFjbqpg4afzwhqeuubqFaAX1aglP+VXsZ0tqJgVR3A6tSoYNgl2l+qylC2tSYKtlCEVoCCAxiQWUrKIk03DkYW427jYo08qAVUaFdOvuI2vbtKn6qZVQ7teLgc1vUHyQYINFg2OipfBXvuwQ8ZAXq9kwN0UIy+WnI4cVUClWZMNPXZ+V3zkK98liNZZZDSbLc9OAGJqk6ZKNs1sczaMcMKQv/jo4ZgWyEYcJMvKT2yY6kG+rZ0xmahx8NjF+9r612Lhnh7/V67N95Sd9onoq6d9z8gokcu39xvtwTVFGzPUo2stLWEQDj0A01v/o4oFr99/v1a8yYgGsLMLC1LMJnftFqIY8jwUOMASGNP6REgR8JUt2NWI/keX7UKYT6W6B9r45w/JxrTHipkrHOMA0cRXF2G2c2yUo7kg8lugQodWcQHx3ppM99WgeM35CJbOPVow4j7lQhDM9Nt8Xbx+GmTzRxxL9nlAlTc/6s532MGcWRpG6GCtmdSkL1SRav0b6bJX2p8CAwEAAaMyMDAwHQYDVR0OBBYEFGkT/G3gZe2DglfmM3uVPBg+AI8xMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADIYLKX0Ilznp0aMkI/pP0gWscsfOHfPtdar81lsIoszY0F621AczluG1osi00pboN9K9zb9+HmOSi9MsFHu7OaDhZBmw0ebTZVccX8K/lVhbb28nG0Jwk80pUGbq6AoZY8AssHfaPq4j8A5cArI5eg6DPvT8ijjuq1vTln4EjRuZclCKMuGw6Vx/1SinCvaTff9GPxYn2/egLvNxLrNbi/L1UYfltIBXvvIECtQ4X45pPTVE9UBpSS2OMYxzpESZD0HFqdm5IZZ7sL8pJAo2/l4HqijJk1JCsljC//IABz9KneIRO0pQKRmVXTF9L2qGLse5bYd6RvSOqgromnz9wtHljZy9oRKzwqbfYAH/M/M6tbzIztff/TYw8Cuj/7lPDOHLxzepH04wvjjaceZRaM0lyHmB42qIuSvrvWo1Cg4YP3RnIdv2NqqpUkaPpO3ZX3LGQ1JFmqjDZkgOzjLlfAPOCX7Okalt/KrAhl8FxKY6BvdQaFYL746DAeT89aCwBHwnxWokLE2t9NBOpVVNRpDJ9XnwBEx0qDyeqXe7KGpR3ZdveyviEz/qdXSgw++q7/WRFuzWYGwOXZrSpfBT+W29JDz9HWEYzdvhPmL984TRQ0R3TZzYZct6uiArNb6rT+A+KWFDzJc+PB2MW1ToFDeQ28BB3ugpS3OSh/vfuDs"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeReversingLabs: Detection: 73%
                        Multi AV Scanner detection for submitted file
                        Source: ny9LDJr6pA.exeReversingLabs: Detection: 73%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: ny9LDJr6pA.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ny9LDJr6pA.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Runtime Broker.exe PID: 7600, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: ny9LDJr6pA.exeJoe Sandbox ML: detected
                        Source: ny9LDJr6pA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: ny9LDJr6pA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 91.160.181.237:4782 -> 192.168.2.4:49730
                        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 91.160.181.237:4782 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 91.160.181.237
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: ny9LDJr6pA.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 91.160.181.237:4782
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewASN Name: PROXADFR PROXADFR
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ipwho.is
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownTCP traffic detected without corresponding DNS query: 91.160.181.237
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: Runtime Broker.exe, 00000003.00000002.2943484523.000000001BE6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                        Source: Runtime Broker.exe, 00000003.00000002.2943484523.000000001BE13000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Runtime Broker.exe, 00000003.00000002.2937499225.0000000001706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en1
                        Source: Runtime Broker.exe, 00000003.00000002.2938288249.0000000003633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: Runtime Broker.exe, 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: ny9LDJr6pA.exe, 00000000.00000002.1699784903.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2938288249.0000000003289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: ny9LDJr6pA.exe, Runtime Broker.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: Runtime Broker.exe, 00000003.00000002.2938288249.0000000003619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: ny9LDJr6pA.exe, Runtime Broker.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: ny9LDJr6pA.exe, Runtime Broker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: ny9LDJr6pA.exe, Runtime Broker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: ny9LDJr6pA.exe, Runtime Broker.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49732 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWindows user hook set: 0 keyboard low level C:\Windows\system32\Runtime Broker\Runtime Broker.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: ny9LDJr6pA.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ny9LDJr6pA.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Runtime Broker.exe PID: 7600, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile created: C:\Windows\system32\Runtime BrokerJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile created: C:\Windows\system32\Runtime Broker\Runtime Broker.exeJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB17C163_2_00007FFD9BB17C16
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1EBCC3_2_00007FFD9BB1EBCC
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB092713_2_00007FFD9BB09271
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1C1FC3_2_00007FFD9BB1C1FC
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB18A0F3_2_00007FFD9BB18A0F
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB0AFDD3_2_00007FFD9BB0AFDD
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1B7FC3_2_00007FFD9BB1B7FC
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB09FD03_2_00007FFD9BB09FD0
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB055D63_2_00007FFD9BB055D6
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB0C2A53_2_00007FFD9BB0C2A5
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB0621F3_2_00007FFD9BB0621F
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BC2237C3_2_00007FFD9BC2237C
                        Source: ny9LDJr6pA.exe, 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCopyright (C) 2017-2021 0 vs ny9LDJr6pA.exe
                        Source: ny9LDJr6pA.exe, 00000000.00000000.1672488675.00000000009B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCopyright (C) 2017-2021 0 vs ny9LDJr6pA.exe
                        Source: ny9LDJr6pA.exeBinary or memory string: OriginalFilenameCopyright (C) 2017-2021 0 vs ny9LDJr6pA.exe
                        Source: ny9LDJr6pA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: ny9LDJr6pA.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@1/2
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ny9LDJr6pA.exe.logJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                        Source: ny9LDJr6pA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ny9LDJr6pA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ny9LDJr6pA.exeReversingLabs: Detection: 73%
                        Source: ny9LDJr6pA.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile read: C:\Users\user\Desktop\ny9LDJr6pA.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\ny9LDJr6pA.exe "C:\Users\user\Desktop\ny9LDJr6pA.exe"
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
                        Source: unknownProcess created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: ny9LDJr6pA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: ny9LDJr6pA.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: ny9LDJr6pA.exeStatic file information: File size 3266048 > 1048576
                        Source: ny9LDJr6pA.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
                        Source: ny9LDJr6pA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9B77D2A5 pushad ; iretd 3_2_00007FFD9B77D2A6
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1B7FC push ss; ret 3_2_00007FFD9BB1BFAA
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB02C40 push FD9BC30Ah; ret 3_2_00007FFD9BB1AEBA
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB0336E push eax; ret 3_2_00007FFD9BB0340C
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1C0FD push ss; ret 3_2_00007FFD9BB1C11A
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1F03A push esp; iretd 3_2_00007FFD9BB1F03C
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BB1BFAC push ss; ret 3_2_00007FFD9BB1C04A
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9BC2237C push edx; retf 5F1Fh3_2_00007FFD9BC25A3B

                        Persistence and Installation Behavior

                        barindex
                        Drops executables to the windows directory (C:\Windows) and starts them
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeExecutable created and started: C:\Windows\system32\Runtime Broker\Runtime Broker.exeJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile created: C:\Windows\System32\Runtime Broker\Runtime Broker.exeJump to dropped file
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile created: C:\Windows\System32\Runtime Broker\Runtime Broker.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile opened: C:\Users\user\Desktop\ny9LDJr6pA.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeFile opened: C:\Windows\system32\Runtime Broker\Runtime Broker.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeFile opened: C:\Windows\system32\Runtime Broker\Runtime Broker.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeMemory allocated: 1ADA0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMemory allocated: 1B250000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeMemory allocated: 1A790000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeCode function: 3_2_00007FFD9B89F1F2 str ax3_2_00007FFD9B89F1F2
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWindow / User API: threadDelayed 2428Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWindow / User API: threadDelayed 7321Jump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exe TID: 7532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7760Thread sleep count: 34 > 30Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7760Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7764Thread sleep count: 2428 > 30Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7764Thread sleep count: 7321 > 30Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7712Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 7684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: Runtime Broker.exe, 00000003.00000002.2943484523.000000001BE6D000.00000004.00000020.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2943484523.000000001BE13000.00000004.00000020.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2943484523.000000001BEBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeProcess created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"Jump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeQueries volume information: C:\Users\user\Desktop\ny9LDJr6pA.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\System32\Runtime Broker\Runtime Broker.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exeQueries volume information: C:\Windows\System32\Runtime Broker\Runtime Broker.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ny9LDJr6pA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: ny9LDJr6pA.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ny9LDJr6pA.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Runtime Broker.exe PID: 7600, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: ny9LDJr6pA.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ny9LDJr6pA.exe.690000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ny9LDJr6pA.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Runtime Broker.exe PID: 7600, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		121
                        Masquerading                        		11
                        Input Capture                        		111
                        Security Software Discovery                        		Remote Services11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory51
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging113
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ny9LDJr6pA.exe74%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                        ny9LDJr6pA.exe100%AviraHEUR/AGEN.1307453
                        ny9LDJr6pA.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Windows\System32\Runtime Broker\Runtime Broker.exe100%AviraHEUR/AGEN.1307453
                        C:\Windows\System32\Runtime Broker\Runtime Broker.exe100%Joe Sandbox ML
                        C:\Windows\System32\Runtime Broker\Runtime Broker.exe74%ReversingLabsByteCode-MSIL.Backdoor.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        91.160.181.2370%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          ipwho.is
                          		195.201.57.90
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            91.160.181.237true
                            • Avira URL Cloud: safe
                            		unknown
                            https://ipwho.is/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/ny9LDJr6pA.exe, Runtime Broker.exe.0.drfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354ny9LDJr6pA.exe, Runtime Broker.exe.0.drfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354sCannotny9LDJr6pA.exe, Runtime Broker.exe.0.drfalse
                                    		high
                                    http://schemas.datacontract.org/2004/07/Runtime Broker.exe, 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameny9LDJr6pA.exe, 00000000.00000002.1699784903.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2938288249.0000000003289000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.vRuntime Broker.exe, 00000003.00000002.2943484523.000000001BE6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://ipwho.isRuntime Broker.exe, 00000003.00000002.2938288249.0000000003633000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/11564914/23354;ny9LDJr6pA.exe, Runtime Broker.exe.0.drfalse
                                              		high
                                              https://ipwho.isRuntime Broker.exe, 00000003.00000002.2938288249.0000000003619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                91.160.181.237
                                                		unknownFrance
                                                		12322PROXADFRtrue
                                                195.201.57.90
                                                		ipwho.isGermany
                                                		24940HETZNER-ASDEfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1584624
                                                Start date and time:2025-01-06 04:16:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 44s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:ny9LDJr6pA.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:196e2ae082841b1ab98dcfa445cf2704.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@10/5@1/2
                                                EGA Information:
                                                • Successful, ratio: 66.7%
                                                HCA Information:
                                                • Successful, ratio: 86%
                                                • Number of executed functions: 57
                                                • Number of non-executed functions: 2
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Runtime Broker.exe, PID 7664 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                03:17:00Task SchedulerRun new task: Runtime Broker path: C:\Windows\system32\Runtime s>Broker\Runtime Broker.exe
                                                22:17:02API Interceptor4026145x Sleep call for process: Runtime Broker.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                • /?output=json
                                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                • /?output=json
                                                ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                • ipwhois.app/xml/
                                                cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • /?output=json
                                                Clipper.exeGet hashmaliciousUnknownBrowse
                                                • /?output=json
                                                cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                • /?output=json
                                                Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • /?output=json

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ipwho.isjaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                • 108.181.61.49
                                                msgde.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                • 108.181.61.49
                                                StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                • 108.181.61.49
                                                bg.microsoft.map.fastly.netJP1KbvjWcM.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                • 199.232.210.172
                                                cZO.exeGet hashmaliciousUnknownBrowse
                                                • 199.232.214.172
                                                jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                • 199.232.210.172
                                                3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                • 199.232.214.172
                                                Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                • 199.232.214.172
                                                N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                • 199.232.210.172
                                                setup64v9.3.4.msiGet hashmaliciousUnknownBrowse
                                                • 199.232.210.172
                                                KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                • 199.232.210.172
                                                c2.htaGet hashmaliciousRemcosBrowse
                                                • 199.232.214.172

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PROXADFRcZO.exeGet hashmaliciousUnknownBrowse
                                                • 82.65.181.52
                                                Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                • 78.240.160.233
                                                Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                • 78.224.99.170
                                                momo.mips.elfGet hashmaliciousMiraiBrowse
                                                • 88.180.232.176
                                                momo.arm.elfGet hashmaliciousMiraiBrowse
                                                • 78.234.76.85
                                                momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                • 88.165.176.186
                                                armv4l.elfGet hashmaliciousUnknownBrowse
                                                • 91.174.92.37
                                                1.elfGet hashmaliciousUnknownBrowse
                                                • 78.225.31.198
                                                armv6l.elfGet hashmaliciousUnknownBrowse
                                                • 78.201.21.165
                                                armv4l.elfGet hashmaliciousUnknownBrowse
                                                • 78.212.91.174
                                                HETZNER-ASDE2.elfGet hashmaliciousUnknownBrowse
                                                • 213.133.114.151
                                                ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                • 116.203.13.109
                                                cZO.exeGet hashmaliciousUnknownBrowse
                                                • 128.140.43.40
                                                jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                NpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                                                • 88.198.29.97
                                                armv6l.elfGet hashmaliciousMiraiBrowse
                                                • 85.10.220.49
                                                1.elfGet hashmaliciousUnknownBrowse
                                                • 138.201.212.111
                                                RisingStrip.exeGet hashmaliciousVidarBrowse
                                                • 116.203.13.109
                                                ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 135.181.65.216
                                                2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0ejaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                • 195.201.57.90
                                                3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                • 195.201.57.90
                                                Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                c2.htaGet hashmaliciousRemcosBrowse
                                                • 195.201.57.90
                                                3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                • 195.201.57.90

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                Download File
                                                Process:C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                Category:dropped
                                                Size (bytes):71954
                                                Entropy (8bit):7.996617769952133
                                                Encrypted:true
                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                Download File
                                                Process:C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):328
                                                Entropy (8bit):3.2197640996403147
                                                Encrypted:false
                                                SSDEEP:6:kKh9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:oDImsLNkPlE99SNxAhUe/3
                                                MD5:98D302C280F8B4B15E5C1868F356D0C2
                                                SHA1:BADC176863D8028C6FE2FEE4C103351682BDBFF0
                                                SHA-256:46EB0FFCB4488E7E56C974BC42CCCCBB5695D51A4B7FBE9A2576EB03A956DE6D
                                                SHA-512:FDFCF20BFB2D85D332DA0C709B3B3F15682DEBF023FC4AD34506DF2127730432ED991188A3ABA63CF65BEA285DD6168DB8DBE1501EE4A183EDD02D473F607F6C
                                                Malicious:false
                                                Reputation:low
                                                Preview:p...... .........ot.._..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

                                                Download File
                                                Process:C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):1281
                                                Entropy (8bit):5.370111951859942
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ny9LDJr6pA.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\ny9LDJr6pA.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):1281
                                                Entropy (8bit):5.370111951859942
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                Malicious:true
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                C:\Windows\System32\Runtime Broker\Runtime Broker.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\ny9LDJr6pA.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):3266048
                                                Entropy (8bit):6.084421049485132
                                                Encrypted:false
                                                SSDEEP:49152:Pv/lL26AaNeWgPhlmVqvMQ7XSK4tMK1J3SoGdOTHHB72eh2NT:PvNL26AaNeWgPhlmVqkQ7XSK4tMz
                                                MD5:196E2AE082841B1AB98DCFA445CF2704
                                                SHA1:4AF7F4BB970331AE1EB569100DE98C93B61C5459
                                                SHA-256:C3E669B477D3E633BF336FC5D2506C86C8FC61B4D0BE36FE2BBE3B361CF70A70
                                                SHA-512:B64CF310FC65954C4873889CE68BCE0539435539D6FF017D8C0238EE829EC9FD5220398558F58E17E9154210856F245D94BD6BCF7780EDF0AAE6BED71958232E
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security
                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Florian Roth
                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekSHen
                                                • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekshen
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 74%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.W.....2...................... 2...................................................... ............... ..H............text...4.1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.084421049485132
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:ny9LDJr6pA.exe
                                                File size:3'266'048 bytes
                                                MD5:196e2ae082841b1ab98dcfa445cf2704
                                                SHA1:4af7f4bb970331ae1eb569100de98c93b61c5459
                                                SHA256:c3e669b477d3e633bf336fc5d2506c86c8fc61b4d0be36fe2bbe3b361cf70a70
                                                SHA512:b64cf310fc65954c4873889ce68bce0539435539d6ff017d8c0238ee829ec9fd5220398558f58e17e9154210856f245d94bd6bcf7780edf0aae6bed71958232e
                                                SSDEEP:49152:Pv/lL26AaNeWgPhlmVqvMQ7XSK4tMK1J3SoGdOTHHB72eh2NT:PvNL26AaNeWgPhlmVqkQ7XSK4tMz
                                                TLSH:56E55A1437F85E23E1BBE273D5B0041667F1EC2AB3A3FB5B6181677A1C53B505801AAB
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x71e42e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3d40x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xaec.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x31c4340x31c600a329949c1442b8351b0ee0324f979454unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x3200000xaec0xc004e1303286f1c711139751157853de5daFalse0.3766276041666667data5.205668892059367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x3220000xc0x20099e75cdb3927a57ba5de39a6c2349231False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x3200a00x374data0.4287330316742081
                                                RT_MANIFEST0x3204140x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-06T04:17:02.860816+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)191.160.181.2374782192.168.2.449730TCP
                                                2025-01-06T04:17:02.860816+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert191.160.181.2374782192.168.2.449730TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 6, 2025 04:17:02.194314957 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:02.199505091 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:02.201628923 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:02.210808992 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:02.215665102 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:02.852132082 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:02.852150917 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:02.852302074 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:02.856036901 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:02.860816002 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:03.049983978 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:03.106365919 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:04.366343021 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:04.366379976 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:04.366463900 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:04.367539883 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:04.367556095 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.223598957 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.223707914 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:05.228446007 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:05.228456020 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.228656054 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.256797075 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:05.303334951 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.448674917 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.448715925 CET44349732195.201.57.90192.168.2.4
                                                Jan 6, 2025 04:17:05.448757887 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:05.528491974 CET49732443192.168.2.4195.201.57.90
                                                Jan 6, 2025 04:17:06.562372923 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:06.567329884 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:06.567390919 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:06.572285891 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:06.891310930 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:06.934511900 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:07.039750099 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:07.090744019 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:32.044023991 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:32.048930883 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:17:57.059562922 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:17:57.064378977 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:18:22.079365015 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:18:22.084207058 CET47824973091.160.181.237192.168.2.4
                                                Jan 6, 2025 04:18:47.123394012 CET497304782192.168.2.491.160.181.237
                                                Jan 6, 2025 04:18:47.128232956 CET47824973091.160.181.237192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 6, 2025 04:17:04.354173899 CET5565353192.168.2.41.1.1.1
                                                Jan 6, 2025 04:17:04.361259937 CET53556531.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 6, 2025 04:17:04.354173899 CET192.168.2.41.1.1.10x6cf1Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 6, 2025 04:17:03.617206097 CET1.1.1.1192.168.2.40x3baeNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Jan 6, 2025 04:17:03.617206097 CET1.1.1.1192.168.2.40x3baeNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Jan 6, 2025 04:17:04.361259937 CET1.1.1.1192.168.2.40x6cf1No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ipwho.is

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449732195.201.57.904437600C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-06 03:17:05 UTC150OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                Host: ipwho.is
                                                Connection: Keep-Alive
                                                2025-01-06 03:17:05 UTC223INHTTP/1.1 200 OK
                                                Date: Mon, 06 Jan 2025 03:17:05 GMT
                                                Content-Type: application/json; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Server: ipwhois
                                                Access-Control-Allow-Headers: *
                                                X-Robots-Tag: noindex
                                                2025-01-06 03:17:05 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:22:16:57
                                                Start date:05/01/2025
                                                Path:C:\Users\user\Desktop\ny9LDJr6pA.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\ny9LDJr6pA.exe"
                                                Imagebase:0x690000
                                                File size:3'266'048 bytes
                                                MD5 hash:196E2AE082841B1AB98DCFA445CF2704
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1702180563.000000001B990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1672163780.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:22:16:59
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
                                                Imagebase:0x7ff76f990000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:22:16:59
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:22:16:59
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
                                                Imagebase:0xdc0000
                                                File size:3'266'048 bytes
                                                MD5 hash:196E2AE082841B1AB98DCFA445CF2704
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2938288249.0000000003682000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security
                                                • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Florian Roth
                                                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekSHen
                                                • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekshen
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 74%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:4
                                                Start time:22:17:00
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\Runtime Broker\Runtime Broker.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
                                                Imagebase:0x2c0000
                                                File size:3'266'048 bytes
                                                MD5 hash:196E2AE082841B1AB98DCFA445CF2704
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:22:17:01
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
                                                Imagebase:0x7ff76f990000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:22:17:01
                                                Start date:05/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:15.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:13
                                                  Total number of Limit Nodes:0
                                                  execution_graph 1780 7ffd9b873811 1781 7ffd9b87382f 1780->1781 1782 7ffd9b8738c4 1781->1782 1785 7ffd9b873540 1782->1785 1784 7ffd9b8738d1 1787 7ffd9b873551 DeleteFileW 1785->1787 1788 7ffd9b873616 1787->1788 1788->1784 1789 7ffd9b873569 1790 7ffd9b873571 DeleteFileW 1789->1790 1792 7ffd9b873616 1790->1792 1793 7ffd9b873525 1794 7ffd9b873531 DeleteFileW 1793->1794 1796 7ffd9b873616 1794->1796

                                                  Executed Functions

                                                  Function 00007FFD9B873525 Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1703576564.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_ny9LDJr6pA.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 1e2ee26a0a7bd83f2ec989e03e91e4d3ee78315d88cec8cd8e8adaf03d48fd74
                                                  • Instruction ID: 0ac869143dc815ad3a720c1c7e06bcb8e41100e187c14c308b9bff6b554f310e
                                                  • Opcode Fuzzy Hash: 1e2ee26a0a7bd83f2ec989e03e91e4d3ee78315d88cec8cd8e8adaf03d48fd74
                                                  • Instruction Fuzzy Hash: 1541063190DB9C4FDB19DF6888596E97FF0FF5A310F0542AFD049C72A2DA24A906C751
                                                  Function 00007FFD9B873569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 14 7ffd9b873569-7ffd9b8735d8 19 7ffd9b8735e2-7ffd9b873614 DeleteFileW 14->19 20 7ffd9b8735da-7ffd9b8735df 14->20 21 7ffd9b87361c-7ffd9b87364a 19->21 22 7ffd9b873616 19->22 20->19 22->21
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1703576564.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b870000_ny9LDJr6pA.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 2bf3bea75ecbe8465ad36b2dd48a9e837dd9650d36ee013d0d822ea1d9a47b43
                                                  • Instruction ID: edd25d39ecd2d31585063957676f5950b806a1e7bb3639aae12154d1f5bf9050
                                                  • Opcode Fuzzy Hash: 2bf3bea75ecbe8465ad36b2dd48a9e837dd9650d36ee013d0d822ea1d9a47b43
                                                  • Instruction Fuzzy Hash: 7D31C37190CB5C8FDB19DB5888556F9BBF0FF65310F04426BD049D3292DB74A9068B91

                                                  Execution Graph

                                                  Execution Coverage:6.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:8
                                                  Total number of Limit Nodes:1
                                                  execution_graph 47403 7ffd9b893569 47404 7ffd9b893571 DeleteFileW 47403->47404 47406 7ffd9b893616 47404->47406 47407 7ffd9bb0e6f9 47408 7ffd9bb0e70f 47407->47408 47409 7ffd9bb0e7bb 47408->47409 47410 7ffd9bb0e8b4 SetWindowsHookExW 47408->47410 47411 7ffd9bb0e8f6 47410->47411

                                                  Executed Functions

                                                  Function 00007FFD9BC2237C Relevance: 7.3, Strings: 1, Instructions: 6046COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 09c747c980c26d5bb725b145c137b2ace6107bad1bd8b2275befda418fb1c957
                                                  • Instruction ID: 83e57d114e720b92b890f6650e24c4dd6fad6e182123069a4aee869595386e9c
                                                  • Opcode Fuzzy Hash: 09c747c980c26d5bb725b145c137b2ace6107bad1bd8b2275befda418fb1c957
                                                  • Instruction Fuzzy Hash: 9273C252B2AE4E0BFBB996BC047527D52C2EFD8650B5E417AD41EC32FAED19ED024340
                                                  Function 00007FFD9BB055D6 Relevance: 2.1, Instructions: 2113COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e385c0e5343280451b385973ef4ea88d1cb56094c958b557df1a2014afd594d
                                                  • Instruction ID: dd0d10b50ae1cdef3e7af433b8980147184223e938d69b5b39e155b9601a2110
                                                  • Opcode Fuzzy Hash: 4e385c0e5343280451b385973ef4ea88d1cb56094c958b557df1a2014afd594d
                                                  • Instruction Fuzzy Hash: E3F29070A19A0D8FDFA8EF58C494BB977E1FF58304F1141A9D48ED72A6DA34E981CB40
                                                  Function 00007FFD9BB1B7FC Relevance: 2.1, Strings: 1, Instructions: 837COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2260 7ffd9bb1b7fc-7ffd9bb1b844 2263 7ffd9bb1b846-7ffd9bb1b8a0 2260->2263 2264 7ffd9bb1b8a5-7ffd9bb1b8a9 2260->2264 2304 7ffd9bb1be7f-7ffd9bb1be92 2263->2304 2265 7ffd9bb1b8ba 2264->2265 2266 7ffd9bb1b8ab-7ffd9bb1b8b3 call 7ffd9bb09fd0 2264->2266 2269 7ffd9bb1b8bc-7ffd9bb1b8c5 2265->2269 2270 7ffd9bb1b8b8 2266->2270 2271 7ffd9bb1b9fa-7ffd9bb1b9ff 2269->2271 2272 7ffd9bb1b8cb-7ffd9bb1b8d0 2269->2272 2270->2269 2274 7ffd9bb1ba01-7ffd9bb1ba13 call 7ffd9bb03830 2271->2274 2275 7ffd9bb1ba65-7ffd9bb1ba69 2271->2275 2276 7ffd9bb1be93-7ffd9bb1bec5 2272->2276 2277 7ffd9bb1b8d6-7ffd9bb1b8db 2272->2277 2294 7ffd9bb1ba18-7ffd9bb1ba1f 2274->2294 2283 7ffd9bb1baba-7ffd9bb1bae5 2275->2283 2284 7ffd9bb1ba6b-7ffd9bb1ba87 call 7ffd9bb04180 2275->2284 2288 7ffd9bb1becc-7ffd9bb1befe 2276->2288 2281 7ffd9bb1b8dd-7ffd9bb1b8e9 2277->2281 2282 7ffd9bb1b8ef-7ffd9bb1b905 call 7ffd9bb09bf0 2277->2282 2281->2282 2281->2288 2291 7ffd9bb1b90a-7ffd9bb1b9f5 call 7ffd9bb0a890 2282->2291 2312 7ffd9bb1baf4 2283->2312 2313 7ffd9bb1bae7-7ffd9bb1baf2 2283->2313 2308 7ffd9bb1ba8d-7ffd9bb1bab5 2284->2308 2309 7ffd9bb1bf05-7ffd9bb1bf21 2284->2309 2288->2309 2291->2304 2299 7ffd9bb1ba21-7ffd9bb1ba42 call 7ffd9bb1b680 2294->2299 2300 7ffd9bb1ba15-7ffd9bb1ba16 2294->2300 2317 7ffd9bb1ba47-7ffd9bb1ba60 2299->2317 2300->2294 2308->2304 2330 7ffd9bb1bf28-7ffd9bb1bf53 2309->2330 2318 7ffd9bb1baf6-7ffd9bb1bb25 2312->2318 2313->2318 2317->2304 2325 7ffd9bb1bd07-7ffd9bb1bd0a 2318->2325 2326 7ffd9bb1bb2b-7ffd9bb1bb4a call 7ffd9bb07b40 2318->2326 2329 7ffd9bb1bc1a-7ffd9bb1bc1c 2325->2329 2338 7ffd9bb1bb50-7ffd9bb1bb67 call 7ffd9bb07220 2326->2338 2339 7ffd9bb1bcff-7ffd9bb1bd02 2326->2339 2333 7ffd9bb1bc22-7ffd9bb1bc41 call 7ffd9bb07b40 2329->2333 2334 7ffd9bb1bcd1-7ffd9bb1bcda 2329->2334 2355 7ffd9bb1bf80-7ffd9bb1bfaa 2330->2355 2356 7ffd9bb1bf55-7ffd9bb1bf77 2330->2356 2333->2334 2353 7ffd9bb1bc47-7ffd9bb1bc5e call 7ffd9bb07220 2333->2353 2336 7ffd9bb1bce0-7ffd9bb1bce5 2334->2336 2337 7ffd9bb1bdb7-7ffd9bb1bdbc 2334->2337 2341 7ffd9bb1bd0f 2336->2341 2342 7ffd9bb1bce7-7ffd9bb1bcf5 2336->2342 2347 7ffd9bb1bdbe-7ffd9bb1bde2 2337->2347 2348 7ffd9bb1be0a-7ffd9bb1be74 2337->2348 2360 7ffd9bb1bb80-7ffd9bb1bb8a 2338->2360 2361 7ffd9bb1bb69-7ffd9bb1bb7e 2338->2361 2339->2329 2352 7ffd9bb1bd11-7ffd9bb1bd13 2341->2352 2342->2352 2357 7ffd9bb1be02-7ffd9bb1be03 2347->2357 2358 7ffd9bb1bde4-7ffd9bb1bdfb 2347->2358 2367 7ffd9bb1be7b-7ffd9bb1be7c 2348->2367 2362 7ffd9bb1bd15-7ffd9bb1bd18 2352->2362 2363 7ffd9bb1bd1a-7ffd9bb1bd1f 2352->2363 2375 7ffd9bb1bc60-7ffd9bb1bc75 2353->2375 2376 7ffd9bb1bc77-7ffd9bb1bc7e 2353->2376 2379 7ffd9bb1bf7e 2356->2379 2357->2348 2358->2357 2368 7ffd9bb1bbb6-7ffd9bb1bbbd 2360->2368 2369 7ffd9bb1bb8c-7ffd9bb1bbb0 2360->2369 2361->2360 2370 7ffd9bb1bd52-7ffd9bb1bd5e 2362->2370 2371 7ffd9bb1bd21-7ffd9bb1bd43 2363->2371 2372 7ffd9bb1bd4a-7ffd9bb1bd4f 2363->2372 2367->2304 2368->2379 2380 7ffd9bb1bbc3-7ffd9bb1bbda 2368->2380 2369->2330 2369->2368 2388 7ffd9bb1bd60-7ffd9bb1bd63 2370->2388 2389 7ffd9bb1bdaa-7ffd9bb1bdb1 2370->2389 2371->2372 2372->2370 2375->2376 2376->2379 2384 7ffd9bb1bc84-7ffd9bb1bc9a 2376->2384 2379->2355 2386 7ffd9bb1bbdc-7ffd9bb1bbdd 2380->2386 2387 7ffd9bb1bbfb-7ffd9bb1bc14 call 7ffd9bb07b40 2380->2387 2390 7ffd9bb1bcb3-7ffd9bb1bccb call 7ffd9bb07b40 2384->2390 2391 7ffd9bb1bc9c-7ffd9bb1bc9d 2384->2391 2393 7ffd9bb1bbe4-7ffd9bb1bbf9 2386->2393 2387->2329 2407 7ffd9bb1bcf7-7ffd9bb1bcfa 2387->2407 2395 7ffd9bb1bd65-7ffd9bb1bd80 2388->2395 2396 7ffd9bb1bd88-7ffd9bb1bda6 call 7ffd9bb053c0 2388->2396 2389->2336 2389->2337 2390->2334 2390->2353 2400 7ffd9bb1bca4-7ffd9bb1bcac 2391->2400 2393->2387 2395->2396 2396->2389 2400->2390 2407->2338
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: g%_H
                                                  • API String ID: 0-4229373076
                                                  • Opcode ID: 781189a1c94db73da29ab8b6b8aabcab90063d9f7d1c50e7daf5386925858cbc
                                                  • Instruction ID: 0efe100f5e1c3c77136ea23b88e8e66b437e4020f344ba89e4d5561fe40b4fa4
                                                  • Opcode Fuzzy Hash: 781189a1c94db73da29ab8b6b8aabcab90063d9f7d1c50e7daf5386925858cbc
                                                  • Instruction Fuzzy Hash: 3642AE31B19A098FEBB8EF5884A5679B3E1FF98304F41457DD44EC32E6DE24B9428781
                                                  Function 00007FFD9BB09FD0 Relevance: 1.1, Instructions: 1064COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 731fc9730e31f2e5946e932e90cab5a613dc9cc8840d087be1797d57029936cb
                                                  • Instruction ID: 5aa35b1a46eb1bac389c94ba3fbea3eb2343c27e312e51cf79dbaec5339c8d1a
                                                  • Opcode Fuzzy Hash: 731fc9730e31f2e5946e932e90cab5a613dc9cc8840d087be1797d57029936cb
                                                  • Instruction Fuzzy Hash: BC621631B1D94D4FEBA8EB2C9465BB437D1FF99314B0505BAE48EC32E6DE24AC428741
                                                  Function 00007FFD9BB1EBCC Relevance: .9, Instructions: 896COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4ac1423b775e466b0347953cb993b551483895b62d3a69dd3275b89eb066346
                                                  • Instruction ID: fee95172ae776ffcdb5e80516752f01d35ec574371fa194dcb0da015f4b71452
                                                  • Opcode Fuzzy Hash: e4ac1423b775e466b0347953cb993b551483895b62d3a69dd3275b89eb066346
                                                  • Instruction Fuzzy Hash: 9B528F31B18A4A8FDB98DF1888A1AA973E2FF98304F55416DE45EC72D6DE34F842C741
                                                  Function 00007FFD9BB0AFDD Relevance: .9, Instructions: 859COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8117e5291a03d7b5234ae42a33ac40bf20f5663eb008774daceed78c51abca27
                                                  • Instruction ID: 543b603c63172c9bd3647dec8a916485b976e111fd11d0647241539d14b5f078
                                                  • Opcode Fuzzy Hash: 8117e5291a03d7b5234ae42a33ac40bf20f5663eb008774daceed78c51abca27
                                                  • Instruction Fuzzy Hash: 17524130B18A498FDBA8EB2CC465B7977E1FF99304F1541B9E08DC72AADE35E8418741
                                                  Function 00007FFD9BB1C1FC Relevance: .7, Instructions: 721COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 698d41ef2c1d9094a59aa59d503b887af6ca71783fb4865735c81fa1dd10f536
                                                  • Instruction ID: ef52dbcc3ef5ba83b68d1d76fb13c14b14012991c56819efdfdae9e1121b3efe
                                                  • Opcode Fuzzy Hash: 698d41ef2c1d9094a59aa59d503b887af6ca71783fb4865735c81fa1dd10f536
                                                  • Instruction Fuzzy Hash: 21225731B1EA4A4FE769DE68C4A16B977D1FF94304F0501BDD49ECB1D6EE28B9028381
                                                  Function 00007FFD9BB09271 Relevance: .7, Instructions: 678COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 86d1699628c61b3c798facdfc64e0209e7e5631c7ec6066d24c4729293b7368b
                                                  • Instruction ID: 37110789592255c8d5fffc1d44c3e0e0b4615b416a1cad8a324c61fbfb927242
                                                  • Opcode Fuzzy Hash: 86d1699628c61b3c798facdfc64e0209e7e5631c7ec6066d24c4729293b7368b
                                                  • Instruction Fuzzy Hash: 3A226030B19A094FEB68EB5C84A97B977E2FF98304F15417DD48EC32E6DE24E9428741
                                                  Function 00007FFD9BB0621F Relevance: .5, Instructions: 530COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89c5596611dd9685f77f23cfc079efb8fc0f50f1b9b5a907b881cbd445883ca0
                                                  • Instruction ID: fabfc57862a7c04e421ed34bc423d417528ffefa3cef9be3eca289559239d61f
                                                  • Opcode Fuzzy Hash: 89c5596611dd9685f77f23cfc079efb8fc0f50f1b9b5a907b881cbd445883ca0
                                                  • Instruction Fuzzy Hash: DF024E30A18A1E8FEBA8DF58C4547B977E1FF98305F1541BAD44ED32A9DE34B9818B40
                                                  Function 00007FFD9BB17C16 Relevance: .5, Instructions: 474COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48c8e3aff4467c4ba490902b13ca6e5ca429bc928ea8c724a489724a39fd564c
                                                  • Instruction ID: a9953fa5d6a9595d2c36e04f41605324deeecd6f5a554d44bd5641bfe32705aa
                                                  • Opcode Fuzzy Hash: 48c8e3aff4467c4ba490902b13ca6e5ca429bc928ea8c724a489724a39fd564c
                                                  • Instruction Fuzzy Hash: 80F1B471609A8D8FEBA8DF28C855BF937E1FF55310F04426AE84DC72D5CB3499418B82
                                                  Function 00007FFD9BB18A0F Relevance: .4, Instructions: 425COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c1f8d37ce138dda1cf7235c8c845cb0b543bbc6887f3d11c608e56f53045ebc
                                                  • Instruction ID: fc613f379a222095586009a7f0edf86e4fee96e207236afd69f45d299726cffd
                                                  • Opcode Fuzzy Hash: 9c1f8d37ce138dda1cf7235c8c845cb0b543bbc6887f3d11c608e56f53045ebc
                                                  • Instruction Fuzzy Hash: 10D18230A09A4D8FEBA8DF28D8657E977D1FB98310F14826EE80DC72D5DE7499418B81
                                                  Function 00007FFD9BB0E6F9 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2577 7ffd9bb0e6f9-7ffd9bb0e7b9 call 7ffd9bb0e0e8 2591 7ffd9bb0e7f8-7ffd9bb0e87e 2577->2591 2592 7ffd9bb0e7bb-7ffd9bb0e7f7 2577->2592 2599 7ffd9bb0e884-7ffd9bb0e891 2591->2599 2600 7ffd9bb0e936-7ffd9bb0e93a 2591->2600 2601 7ffd9bb0e893-7ffd9bb0e8f4 SetWindowsHookExW 2599->2601 2600->2601 2605 7ffd9bb0e8f6 2601->2605 2606 7ffd9bb0e8fc-7ffd9bb0e935 2601->2606 2605->2606
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25ca01c35eae90a696a54bf345241aec090ec2036f7b6d155bf07c740e7d05a8
                                                  • Instruction ID: 09fc44d2e92a574a19aa7f2ecdabeeac00fa69750de19ab0328799866be9ac1e
                                                  • Opcode Fuzzy Hash: 25ca01c35eae90a696a54bf345241aec090ec2036f7b6d155bf07c740e7d05a8
                                                  • Instruction Fuzzy Hash: EB71F631B1DA4D4FDB58EB6C98665F97BE1FF59310B0441BFE049C32D6EE24A8428781
                                                  Function 00007FFD9B893525 Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3254 7ffd9b893525-7ffd9b89352f 3255 7ffd9b893571-7ffd9b8935d8 3254->3255 3256 7ffd9b893531-7ffd9b893562 3254->3256 3262 7ffd9b8935da-7ffd9b8935df 3255->3262 3263 7ffd9b8935e2-7ffd9b893614 DeleteFileW 3255->3263 3256->3255 3262->3263 3264 7ffd9b893616 3263->3264 3265 7ffd9b89361c-7ffd9b89364a 3263->3265 3264->3265
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2945641544.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b890000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: b8ba7d988387f9b5836c82253274fe8e89a8ae093a309e0cd46f56a84fc0da86
                                                  • Instruction ID: fe25bd791057d69defad3dbf8d20dfa7b3ca876e415234be6d1daed760d10b01
                                                  • Opcode Fuzzy Hash: b8ba7d988387f9b5836c82253274fe8e89a8ae093a309e0cd46f56a84fc0da86
                                                  • Instruction Fuzzy Hash: DE41287190DB9C9FDB19DBA888596E97FF0FF6A310F0542AFD049C71A2DA24A805C781
                                                  Function 00007FFD9B893569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2945641544.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b890000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 3bf399873c0c78a1dc94189b4f8c3616a19964a0830f42017994917a0f4ea379
                                                  • Instruction ID: e53f29182c8904a57518b8f9dd0e1c2d49836896f4afc4bc1820d11034cac786
                                                  • Opcode Fuzzy Hash: 3bf399873c0c78a1dc94189b4f8c3616a19964a0830f42017994917a0f4ea379
                                                  • Instruction Fuzzy Hash: 9431D47190CB5C8FDB19DB98C8556E9BBF0FF65310F04426BD049D3192DB74A805CB81
                                                  Function 00007FFD9BC252F1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 13ac50792e213cbe5647e9a302ca3807f25dec3f7894e7529d599c036544359d
                                                  • Instruction ID: 8c3d28b599f5a5ad1b8ffea08bb00a4b9d1bed33bb05afb3f26c4ab862a896b3
                                                  • Opcode Fuzzy Hash: 13ac50792e213cbe5647e9a302ca3807f25dec3f7894e7529d599c036544359d
                                                  • Instruction Fuzzy Hash: 53210702B1EA4E0BFBBAA27C147517D56C2EF98650B5E01BAD40EC72E7ED29FD424300
                                                  Function 00007FFD9BC220C9 Relevance: .3, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7e54095410f0b1d867af15eb790e27ac271db3cc9ed3eb479c32874abf98cb7
                                                  • Instruction ID: 520c9c553601c9027731fca9212a4d1793f7b144e8e37f51a6377644db2747f3
                                                  • Opcode Fuzzy Hash: d7e54095410f0b1d867af15eb790e27ac271db3cc9ed3eb479c32874abf98cb7
                                                  • Instruction Fuzzy Hash: C5615311B2AE6F0BE6A597ED84A677962D6FFAC700F494039D10DC72E6CE1DED024381
                                                  Function 00007FFD9B77ED84 Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2945299456.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b77d000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2de8f306bbec138576bf964626e5e08b26de74f2b501acf462c4c141ea9e3b86
                                                  • Instruction ID: 60ad93e35fec6ef9debba8b668dfd6c6408448b6f68073b514a8d08f909e2401
                                                  • Opcode Fuzzy Hash: 2de8f306bbec138576bf964626e5e08b26de74f2b501acf462c4c141ea9e3b86
                                                  • Instruction Fuzzy Hash: 7541D43150EBC44FD756CB2898959523FF0EF56320B1506DFD088CB1B3D669A846C7A2
                                                  Function 00007FFD9BC2014A Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82865db6a9940365dd4c249e66aabe00faab96ce644ef9c216403746e7599dda
                                                  • Instruction ID: 1945b17b67b59188a72d489907383e96131528a433a68cd6ef1becb7b57ecb98
                                                  • Opcode Fuzzy Hash: 82865db6a9940365dd4c249e66aabe00faab96ce644ef9c216403746e7599dda
                                                  • Instruction Fuzzy Hash: DB310722B1EB8D0FE7A8D76C58766B877C1EB65610F0901BFD49EC32E2DD15AC428342
                                                  Function 00007FFD9BC20676 Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56e654f26f988efb0f1354ac68ed76647d9e371e15831a29ca364a481a3f88bc
                                                  • Instruction ID: 70d13b6bddd5e154c6d25cdcd9e7a58892c9479813807b872e33489199e20033
                                                  • Opcode Fuzzy Hash: 56e654f26f988efb0f1354ac68ed76647d9e371e15831a29ca364a481a3f88bc
                                                  • Instruction Fuzzy Hash: 44311862B1EA4D0FE79C966C582677877C1EBA4B10F49017FD49EC32E3DD18AD028382
                                                  Function 00007FFD9BC2007C Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05b2ad5779dbb2c7af2c45d8daeb70ba83af6734fc6bc0a18da684f7d6186676
                                                  • Instruction ID: fdd4aa7f29f89172fc41276708ef60c96fb4cce3d9209290851f253dd09385c0
                                                  • Opcode Fuzzy Hash: 05b2ad5779dbb2c7af2c45d8daeb70ba83af6734fc6bc0a18da684f7d6186676
                                                  • Instruction Fuzzy Hash: 9F21E43170D94C0FEB6CEA6C9869A7937D1E7A9721B05027FD44EC36A2DD55ED428380
                                                  Function 00007FFD9BC23D9F Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3715c5fa45d27e889f141adfd9223269566cec369d2c9d6aed45199e77e9c241
                                                  • Instruction ID: 91e5c82014e3eb01a28a7d8b2c1aae6550c501198065b884e72efb0350707dfa
                                                  • Opcode Fuzzy Hash: 3715c5fa45d27e889f141adfd9223269566cec369d2c9d6aed45199e77e9c241
                                                  • Instruction Fuzzy Hash: EE218412B2EE4E0FFBBA927C187517956C2EFD8660B5A00BAD40DC72E7ED19ED024341
                                                  Function 00007FFD9BC25090 Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0950cebf9f60d7c038aa47ca3914dead69f83175b9ea56a4a2572bf11e432796
                                                  • Instruction ID: 468d8b0389059dee45fd9adbe3ce1f3a8382096efb5fbeffd9a971f2085d24d6
                                                  • Opcode Fuzzy Hash: 0950cebf9f60d7c038aa47ca3914dead69f83175b9ea56a4a2572bf11e432796
                                                  • Instruction Fuzzy Hash: DA21D811B1AE4E0BF7B9927C187567956C2EFD8650B5E01BAD00EC72E6ED19FD024341
                                                  Function 00007FFD9BC243EE Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63c4156294c16b127cfb79dc6f464bef7d58401739e1a94a0c57c072092cf1e9
                                                  • Instruction ID: 801503daf15ce87226bd4ba3d088297d146541bfcb3acc728bf35cc14b7d36a2
                                                  • Opcode Fuzzy Hash: 63c4156294c16b127cfb79dc6f464bef7d58401739e1a94a0c57c072092cf1e9
                                                  • Instruction Fuzzy Hash: 8821E452B1EE4F0BFBB9E67C047517856C2EFD8650B6A01BAD40EC72EAED19ED024341
                                                  Function 00007FFD9BC235BA Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e21adab4d053a78c7fa1e8fdc3b68811ce52d6c87f868647213c3e7c2060c52
                                                  • Instruction ID: c58b2f269642dd77f0ee16f6bf4028dd23dfd5a9f921b54a00522c35087dcb21
                                                  • Opcode Fuzzy Hash: 0e21adab4d053a78c7fa1e8fdc3b68811ce52d6c87f868647213c3e7c2060c52
                                                  • Instruction Fuzzy Hash: DB21B411B1AE4F0FE7B9A3BC186527956C2EFD8660B9A007AD40EC72E7ED19ED024340
                                                  Function 00007FFD9BC22AAF Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cba28e9330ecc86f782662e82a2dd3b4270b8bb2da98a69048a680f450900f06
                                                  • Instruction ID: eb60890df89fd87d16404bdee1fd8c044291df96beb37e9a5ddf8cbee5ec9c3f
                                                  • Opcode Fuzzy Hash: cba28e9330ecc86f782662e82a2dd3b4270b8bb2da98a69048a680f450900f06
                                                  • Instruction Fuzzy Hash: DF210712B1AE4E0BFBB996BC147123D52C3DFD8650B5E01BAD01EC72EAED29ED024340
                                                  Function 00007FFD9BC23293 Relevance: .1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ccbf0a5064fae942fc2ad8b3a0d1bd8c73a7f013555bed27fff6f32f2005220
                                                  • Instruction ID: 528a16be2bdd8d0c61b9ae4ff0ed02c49204d5dceffecfc45e6a7d6c98a80bb0
                                                  • Opcode Fuzzy Hash: 6ccbf0a5064fae942fc2ad8b3a0d1bd8c73a7f013555bed27fff6f32f2005220
                                                  • Instruction Fuzzy Hash: 74218211B1AE4E0FE7B9A2BC146127956C2EFD8A61B9A407AD41EC32E7ED19ED424340
                                                  Function 00007FFD9BC2292E Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5317c33793a7d74d05515d356d00f22f2795fffa858a54dd1c126b5b7264a824
                                                  • Instruction ID: 17d7aa06c273e36dff9ef226a55eaf7e50929a93d720f219e2cda48432f4c4e2
                                                  • Opcode Fuzzy Hash: 5317c33793a7d74d05515d356d00f22f2795fffa858a54dd1c126b5b7264a824
                                                  • Instruction Fuzzy Hash: 5121C411B1AE0E0BF7B9E2BC146523956C2EFD8650B5E01BAD41EC72A6ED19ED034341
                                                  Function 00007FFD9BC239C2 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b538345c2e735b600425bca590f48bcc3934ba82f8280ea3a3aabca14f8de018
                                                  • Instruction ID: 7f2985b6165b3ed2237d7e8202106f8f0d00f4899df0d98d03fa10218f725a21
                                                  • Opcode Fuzzy Hash: b538345c2e735b600425bca590f48bcc3934ba82f8280ea3a3aabca14f8de018
                                                  • Instruction Fuzzy Hash: 7021B811B1AE4E0FF7B9A2BC146527D56C2DFD866075A01BBD41EC32EAED29ED424340
                                                  Function 00007FFD9BC2555F Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7aca6604431f069c5581f53f54fb075a5c7cf6cd78e7e9f2454ef7814f74867
                                                  • Instruction ID: ff9e0ea2eaf42b93272c8c86fb8fa449fe25e93339dcb153de2bb5e8688f7f5b
                                                  • Opcode Fuzzy Hash: d7aca6604431f069c5581f53f54fb075a5c7cf6cd78e7e9f2454ef7814f74867
                                                  • Instruction Fuzzy Hash: 5F219811B1AE4E0FF7B9E27C186527D56C3EF98610B5E01BAD40EC72E6ED29ED428341
                                                  Function 00007FFD9BC23762 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5c3da77a0494e569229cc27eac59efffedd8723d41bacbaaa8ac6d1c0848611
                                                  • Instruction ID: 9716fe048db3463af7214d5794719a0dab2372d0f0250d812889ac4e3298005f
                                                  • Opcode Fuzzy Hash: c5c3da77a0494e569229cc27eac59efffedd8723d41bacbaaa8ac6d1c0848611
                                                  • Instruction Fuzzy Hash: F021D611B1AE4E0FFBA9E6BC146527952C2DFD8620B5A01BAD40EC33E6ED29ED024301
                                                  Function 00007FFD9BC24E48 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e650f43ba0948c2f3e8f8358f3ac18de8009fbdcbbbd8d3cab35b42b0bf8d2a
                                                  • Instruction ID: d91af245da12e18677ba68e88ebc617517e3f919da4f5031cb0c65de1d428eae
                                                  • Opcode Fuzzy Hash: 1e650f43ba0948c2f3e8f8358f3ac18de8009fbdcbbbd8d3cab35b42b0bf8d2a
                                                  • Instruction Fuzzy Hash: F321B811B1AE4E0BF7B5E27C146527D56C2DF9855075E41BED40EC32EAED29ED024341
                                                  Function 00007FFD9BC226DA Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20f99631292e40144a33e9ae45c1598a472fc89cd729da114b12ba036ccaae39
                                                  • Instruction ID: 07402769cd002d86e393ec6041f77797e51c094d024d1fb250f85ac33cf93188
                                                  • Opcode Fuzzy Hash: 20f99631292e40144a33e9ae45c1598a472fc89cd729da114b12ba036ccaae39
                                                  • Instruction Fuzzy Hash: 7321C311B2EE4E0BE7B992BC587127951C3EFD8610B9E41BAD40EC73E6ED18ED424341
                                                  Function 00007FFD9BC23CF1 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d17c174124151b471ec25ca165061bdf003e656d1c58af2515f943bf490806c9
                                                  • Instruction ID: 4c50810bebd830ab5544101f678e9b902af46f15309d0582c033e97883366430
                                                  • Opcode Fuzzy Hash: d17c174124151b471ec25ca165061bdf003e656d1c58af2515f943bf490806c9
                                                  • Instruction Fuzzy Hash: 1B21DA11B2AE4E0FF7BAE37C146117956C2DFD8610B5A41BAD41EC72E6DD29ED024341
                                                  Function 00007FFD9BC2597E Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f868a1682718cb96362942d86b2a3a1cdee43285a91e8139a9a5462205d913eb
                                                  • Instruction ID: c48ef9772cc6ff46cc4cdfe83dd02affd9c8cb53c71c426a50f9429f5b0736c0
                                                  • Opcode Fuzzy Hash: f868a1682718cb96362942d86b2a3a1cdee43285a91e8139a9a5462205d913eb
                                                  • Instruction Fuzzy Hash: B611B61171AE4E0BF7B9A27C146163D56C2DF99221B6E01BAD41EC72E6ED29ED038301
                                                  Function 00007FFD9BC25330 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2982a3caef8362a2ea9f0295385a9ec93612a3436ee2ddba4e76b09b00b339b8
                                                  • Instruction ID: df413556e3c0a59fec7295856c1e7d9f11dff548fce7591502330b13cdf32c19
                                                  • Opcode Fuzzy Hash: 2982a3caef8362a2ea9f0295385a9ec93612a3436ee2ddba4e76b09b00b339b8
                                                  • Instruction Fuzzy Hash: 2B11C81171AE4E0FFBBAE27C147123D56C2EF88210B5E01BAD40DC72E6ED29ED024300
                                                  Function 00007FFD9BC25268 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39dd312ade18e891e06ea1cf7a6aaf52bf2c076f500ef766f20b1cda49d3cd6d
                                                  • Instruction ID: 18d6f5aa7f6bd5591b4d4f2076c1b9615dfcdd991f852a411424756dd0bd8d02
                                                  • Opcode Fuzzy Hash: 39dd312ade18e891e06ea1cf7a6aaf52bf2c076f500ef766f20b1cda49d3cd6d
                                                  • Instruction Fuzzy Hash: C0119811B1AA4F0BF7BAE27C186113955C2DF98611B5E01BAD45EC72E6EE29ED024301
                                                  Function 00007FFD9BC23B82 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 005eb07ddfcc381e646ab5c467325f76f4dbd48e1c664bf8366c2b51154f74ed
                                                  • Instruction ID: 4bbd05c5ca3c0c413e0d49a87786e8848038bcd84a94c213f16e026f3a0652b7
                                                  • Opcode Fuzzy Hash: 005eb07ddfcc381e646ab5c467325f76f4dbd48e1c664bf8366c2b51154f74ed
                                                  • Instruction Fuzzy Hash: D011B61571EA4E0FEBBAA67C147113956C2DFC9620B5E01B9D41DC32E6EE29ED024300
                                                  Function 00007FFD9BC20EE1 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2948459428.00007FFD9BC20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bc20000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                  • Instruction ID: b66c0633e57c224e42314e6d997aca15d6875788a181ced360e1220dfd337bd3
                                                  • Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                                  • Instruction Fuzzy Hash: E4D0C92572A51A07FA2422DC68623F8B685CB8C710F511137E409C63EAC8CEAEC242C6

                                                  Non-executed Functions

                                                  Function 00007FFD9BB0C2A5 Relevance: .5, Instructions: 543COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2947889815.00007FFD9BB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9bb00000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6816e09a42dc87d24389b77af3969c240a433620c2b50b845bfc876e2a864ea
                                                  • Instruction ID: bf0a13b37ee4b1f48d0d5b6aa91f60e6facca79363d3cf530b6cb42cc029dc69
                                                  • Opcode Fuzzy Hash: a6816e09a42dc87d24389b77af3969c240a433620c2b50b845bfc876e2a864ea
                                                  • Instruction Fuzzy Hash: EEF1A03070DA4D4FDBA5EB68D864AB937E1FF49304B0600BAE44DC72EADB29EC458741
                                                  Function 00007FFD9B89F1F2 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2945641544.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b890000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec4121fc7ca7f608a744c776d5f46bfd6758f2c7568422aa4528465e266aa53a
                                                  • Instruction ID: 8323206064402fed2d543c93944d3237e30a6e545fdcd71560a16e95c49d71fe
                                                  • Opcode Fuzzy Hash: ec4121fc7ca7f608a744c776d5f46bfd6758f2c7568422aa4528465e266aa53a
                                                  • Instruction Fuzzy Hash: EA31635BB0A1B656D71AB3BCB97A8F53B50DF4223D70842F3D1DD4E0E7AC49208B5194

                                                  Executed Functions

                                                  Function 00007FFD9B880BBD Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;O_I
                                                  • API String ID: 0-1334563566
                                                  • Opcode ID: c4bce6d26e6194e947363896f60c2d9e1bf0963201f51401853ea5033ef93ce0
                                                  • Instruction ID: f95f85a4cac2c38da430eb03f65f7cd55783d81d979a656b1c5f6f0f2eee1132
                                                  • Opcode Fuzzy Hash: c4bce6d26e6194e947363896f60c2d9e1bf0963201f51401853ea5033ef93ce0
                                                  • Instruction Fuzzy Hash: 6FA15C2270FB868FF72D975C64741A57BA1EF49354B8504FBE498472EBE938AD028342
                                                  Function 00007FFD9B8815FA Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .O_^
                                                  • API String ID: 0-2879385732
                                                  • Opcode ID: b7a75b07965ac43177e6e17f332beb0b33cecf9027bc825ad482a4b437c99b8f
                                                  • Instruction ID: 9503e145f3f594a6806d04acf07294a77e534123a90a87cc1fc3efb980fbf74d
                                                  • Opcode Fuzzy Hash: b7a75b07965ac43177e6e17f332beb0b33cecf9027bc825ad482a4b437c99b8f
                                                  • Instruction Fuzzy Hash: D8212B1670E9590FD365E72DD8756E43BD0EF9923170D01B7C09CCB153DC185D4A8351
                                                  Function 00007FFD9B8820FA Relevance: .4, Instructions: 362COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fed2bfcd166908d62ca9dd2f03464300c276e823928d7a549db4a079d15be138
                                                  • Instruction ID: 33468e3f320f1ede7dd271dbf0d07b1384d0ae63b23f1aa36ad8d4276b18b84c
                                                  • Opcode Fuzzy Hash: fed2bfcd166908d62ca9dd2f03464300c276e823928d7a549db4a079d15be138
                                                  • Instruction Fuzzy Hash: 5CA1D721B19E8E0FEBA5EB6884616B977D2EF9C340F0501B6D46DC71E7DE38AD028341
                                                  Function 00007FFD9B882DC8 Relevance: .2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e05418bcbca6ac129a65082e29b2b9de664d0b67925d54fabfcec1d32da14f6
                                                  • Instruction ID: e8380d0d0b6001172f8b44e17b6c172bcff22b010fb04eba1b41aba71c3f7465
                                                  • Opcode Fuzzy Hash: 4e05418bcbca6ac129a65082e29b2b9de664d0b67925d54fabfcec1d32da14f6
                                                  • Instruction Fuzzy Hash: 47716161B09D0D4FEBA8EB9884657BCB7E2EF9C310F450179D05ED32D6CE28AC028741
                                                  Function 00007FFD9B8824A2 Relevance: .2, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f889df2036a2f2639433311ff3441c911774ca2681db061a5fdcb94976254a33
                                                  • Instruction ID: 876a5acd8346e4fbbaa4d4f2eb67e6246e73fb1ad099846d6fc7ed15be6b0b05
                                                  • Opcode Fuzzy Hash: f889df2036a2f2639433311ff3441c911774ca2681db061a5fdcb94976254a33
                                                  • Instruction Fuzzy Hash: 7651C211B4EE5B4BFB9AB3B894716AA6AD2DB8D2A078144B5D01CC71EBDD3C9D038341
                                                  Function 00007FFD9B882110 Relevance: .2, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3071bb3d0c0487a04d8cf44b1f412552f1d0375427f9c0680d2599a5866380f0
                                                  • Instruction ID: 2409a833515a31d8d62f02bf0c1ee549d5d537b4fc18e86fd42a2407ca3d0e4e
                                                  • Opcode Fuzzy Hash: 3071bb3d0c0487a04d8cf44b1f412552f1d0375427f9c0680d2599a5866380f0
                                                  • Instruction Fuzzy Hash: FE41EB21B0DA8E0FEBA6EBA85471AF977A1EF99310F0500B6D05DC71D7DE386D058742
                                                  Function 00007FFD9B882729 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 928f524430ffbd14ef341ad6feb100eff8841740a3954fd67098a87af6f6af87
                                                  • Instruction ID: 473fefbc391fe443d64aaf1e6b2f9dffe56696d6ac47958d5366889d19e67143
                                                  • Opcode Fuzzy Hash: 928f524430ffbd14ef341ad6feb100eff8841740a3954fd67098a87af6f6af87
                                                  • Instruction Fuzzy Hash: 8C413121B1DE494FEB5CABAC94657B977D1EF98310F04017EE05EC32D6DD286D428392
                                                  Function 00007FFD9B88196D Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0256ba89228e3be804cfa140b89065f9d9c930f84d57fa4b99abfec5a11eb27
                                                  • Instruction ID: ac96d5597f1b4ea8125ed45a504b8a08a8105c24e27cce3515bedf2197a8ef4d
                                                  • Opcode Fuzzy Hash: a0256ba89228e3be804cfa140b89065f9d9c930f84d57fa4b99abfec5a11eb27
                                                  • Instruction Fuzzy Hash: 9C215630A0A94A4FEB65EB68C4E05A57790EF5D310B1542FAC068CF1ABDD38EC82C380
                                                  Function 00007FFD9B881BF5 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17cfc8196ed6ec47ca2d41c966980ebb1808e8475b03c742acadc82ba9acab40
                                                  • Instruction ID: 866d0ef548b64daf27f2dbc99e6ce578922f3294aa189573480e7edb8cbe3c5d
                                                  • Opcode Fuzzy Hash: 17cfc8196ed6ec47ca2d41c966980ebb1808e8475b03c742acadc82ba9acab40
                                                  • Instruction Fuzzy Hash: DA3176306597468BFB0CE71CA8A5AA77F61EB88324FD14195D418833CADE3C6946C752
                                                  Function 00007FFD9B880872 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d31890e71fd401747206d58683511213fe01ac522bdb570d481760b122f80aa
                                                  • Instruction ID: cdf6f787f1c490004020292799eed907f615e4c50c2235ba0b5a5174ec2eb4b2
                                                  • Opcode Fuzzy Hash: 1d31890e71fd401747206d58683511213fe01ac522bdb570d481760b122f80aa
                                                  • Instruction Fuzzy Hash: B6212852A2EFCA4FE359A7645C356A46BA1EF55780F0501FAC0ADCB1E7ED1828448392
                                                  Function 00007FFD9B8832DD Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5e1ca691d6b7911c07c61eee5e0a54a2f0979083373da8202ccdcab4893d32c
                                                  • Instruction ID: fc27a3acc97e4319b92303e4b01d5e9d0a244ef6e9f8b503906269c99da98465
                                                  • Opcode Fuzzy Hash: f5e1ca691d6b7911c07c61eee5e0a54a2f0979083373da8202ccdcab4893d32c
                                                  • Instruction Fuzzy Hash: 7E21F431F19A598FEBA8EB7898699B973E1EF58311B4100BAE01DC32A6DE349841C741
                                                  Function 00007FFD9B883491 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 010d67090a6bc153dc3a91cbc8eec13dd684327a411e31710c9b65f2d2d44547
                                                  • Instruction ID: 20944a9987250e118d9e70220813b0ed3589411617792948c0a63d134e19f38d
                                                  • Opcode Fuzzy Hash: 010d67090a6bc153dc3a91cbc8eec13dd684327a411e31710c9b65f2d2d44547
                                                  • Instruction Fuzzy Hash: 3D115021B0EE450FE355A7786C598F57BD1DF9522470542BBF45DC31A3CD1899868341
                                                  Function 00007FFD9B8828D5 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5770fee136906c366a772856e4d8234db976ab5ac5fef33d13f35270da26cddb
                                                  • Instruction ID: 338891f198e636a51ebbec852dbbb9a802b24ef87ebd45c4f3cc771aeb7dfcac
                                                  • Opcode Fuzzy Hash: 5770fee136906c366a772856e4d8234db976ab5ac5fef33d13f35270da26cddb
                                                  • Instruction Fuzzy Hash: 7811E921B0EACC4FE347E77858A8AA43FD1AF4B224B1A01F7D098CB0B7C9684945C352
                                                  Function 00007FFD9B880DA9 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: acb615a8bc845e418232729b3b1fd9decd1fb6938be8eab15dc89ae897d32052
                                                  • Instruction ID: 67ffc41121f2a30be48a5022db994702e8c66ebdcef14ab903b14c4d4e484e29
                                                  • Opcode Fuzzy Hash: acb615a8bc845e418232729b3b1fd9decd1fb6938be8eab15dc89ae897d32052
                                                  • Instruction Fuzzy Hash: A9018923B79D8E0BD7ADA32C14A45F663C2EB98350B0405BAE45DC32D6ED243D438381
                                                  Function 00007FFD9B881E58 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 979a6dc8fedc9622c620b946b6ba51f16efa7dfe2f80ce06e6de88ce437d8dcc
                                                  • Instruction ID: a01ece1b02f8bce3c7fce044ab37a9d949f7ebf9a3db6e4504b67e4cd269d50f
                                                  • Opcode Fuzzy Hash: 979a6dc8fedc9622c620b946b6ba51f16efa7dfe2f80ce06e6de88ce437d8dcc
                                                  • Instruction Fuzzy Hash: B4F02422B08C1C0FE754F2AD58E9EF927D0DBEC22571500B7E00CC72BBDC1898828391
                                                  Function 00007FFD9B881E70 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 465864d33a7c3e1e1648be18ceaa92b2423a9d95660b04d8c59bb076424a8bf0
                                                  • Instruction ID: 1fa01099739f29173bc2bd7b0e37a439c444a23442e117cf3e569c6600dc0916
                                                  • Opcode Fuzzy Hash: 465864d33a7c3e1e1648be18ceaa92b2423a9d95660b04d8c59bb076424a8bf0
                                                  • Instruction Fuzzy Hash: 8DE09221F19C1D1FEBA8F7AD48D9F7962D1EBAC21572105B6E41CC73BADC289C818381
                                                  Function 00007FFD9B88094D Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.1730823584.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ffd9b880000_Runtime Broker.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d39493e5e84bb893ac850ed422794df3e14083ae000b811e82b8ce4d434fb0a
                                                  • Instruction ID: 16c29f842720c1513a3686eb19fe20fd04e30ff010bac10d4b972cdbb2c5159f
                                                  • Opcode Fuzzy Hash: 7d39493e5e84bb893ac850ed422794df3e14083ae000b811e82b8ce4d434fb0a
                                                  • Instruction Fuzzy Hash: 5DE02622F5ED1E0BE394337C24321FC31C18F48A50B42103AE81DC62E7DC2D2D430284