Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Analysis ID:	1417470
MD5:	04c989d29336fb35d0acf623b8bcf64c
SHA1:	67c95f5de71452deb7843c9ac2880340c50e4a28
SHA256:	ad132be05b5588ba7a292e3ae2faab0401f5380bbd4796483d45df99dc1500e9
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Installs Task Scheduler Managed Wrapper

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 77.38.200.133:6969

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: xn--80aa3a1a9c.online

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RuntimeBroker.exe, 00000002.00000002.3327883889.000001CB299A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Keyboard.cs	.Net Code: SetHook
Source: RuntimeBroker.exe.0.dr, Keyboard.cs	.Net Code: SetHook

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AE369	2_2_00007FFD348AE369
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4B8	2_2_00007FFD348AC4B8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A8	2_2_00007FFD348AC4A8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A0	2_2_00007FFD348AC4A0
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC578	2_2_00007FFD348AC578
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A1968	2_2_00007FFD348A1968
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A0F50	2_2_00007FFD348A0F50
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC660	2_2_00007FFD348AC660
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC6D3	2_2_00007FFD348AC6D3
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC43F	2_2_00007FFD348AC43F
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C2399	3_2_00007FFD348C2399
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1518	3_2_00007FFD348C1518
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1430	3_2_00007FFD348C1430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll 74FE1A6A1E36BE7D893E31BBB4D4BD83BF4B927E715276CD5607982139818EBD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D

PE file does not import any functions

Source: RuntimeBroker.exe.0.dr	Static PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2082156882.0000020C41424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074337572.0000020C26EAA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: RuntimeBroker.exe.0.dr, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: RuntimeBroker.exe.0.dr, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal88.spyw.evad.winEXE@4/5@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: File size 1075712 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: 0xBF843D4D [Mon Oct 26 19:51:41 2071 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A7870 pushad ; retf	2_2_00007FFD348A789D
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A789E push eax; retf	2_2_00007FFD348A78AD
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A030E push E95D947Dh; ret	2_2_00007FFD348A0329

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C271E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C40B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB27F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB419A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224AB630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224C3630000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe TID: 3856

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RuntimeBroker.exe, 00000003.00000002.3327179086.00000224A9AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Lo
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081479409.0000020C27101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: RuntimeBroker.exe, 00000002.00000002.3328327285.000001CB41F21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.38.200.133	xn--80aa3a1a9c.online	Latvia		20910	BALTKOM-ASLV	false

Contacted Domains

Name	IP	Active
xn--80aa3a1a9c.online	77.38.200.133	true

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 77.38.200.133:6969

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: xn--80aa3a1a9c.online

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RuntimeBroker.exe, 00000002.00000002.3327883889.000001CB299A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Keyboard.cs	.Net Code: SetHook
Source: RuntimeBroker.exe.0.dr, Keyboard.cs	.Net Code: SetHook

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AE369	2_2_00007FFD348AE369
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4B8	2_2_00007FFD348AC4B8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A8	2_2_00007FFD348AC4A8
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC4A0	2_2_00007FFD348AC4A0
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC578	2_2_00007FFD348AC578
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A1968	2_2_00007FFD348A1968
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A0F50	2_2_00007FFD348A0F50
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC660	2_2_00007FFD348AC660
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC6D3	2_2_00007FFD348AC6D3
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348AC43F	2_2_00007FFD348AC43F
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C2399	3_2_00007FFD348C2399
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1518	3_2_00007FFD348C1518
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 3_2_00007FFD348C1430	3_2_00007FFD348C1430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll 74FE1A6A1E36BE7D893E31BBB4D4BD83BF4B927E715276CD5607982139818EBD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D

PE file does not import any functions

Source: RuntimeBroker.exe.0.dr	Static PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081931674.0000020C38B59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074244768.0000020C26DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2082156882.0000020C41424000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000000.2074337572.0000020C26EAA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Binary or memory string: OriginalFilenameSailor.exe> vs SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: RuntimeBroker.exe.0.dr, SystemInfo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: RuntimeBroker.exe.0.dr, Tools.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal88.spyw.evad.winEXE@4/5@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Virustotal: Detection: 59%

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static file information: File size 1075712 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106200

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Newtonsoft.Json.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, RuntimeBroker.exe.0.dr, Microsoft.Win32.TaskScheduler.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38b59ac0.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.20c38bab2f8.0.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Static PE information: 0xBF843D4D [Mon Oct 26 19:51:41 2071 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A7870 pushad ; retf	2_2_00007FFD348A789D
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A789E push eax; retf	2_2_00007FFD348A78AD
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Code function: 2_2_00007FFD348A030E push E95D947Dh; ret	2_2_00007FFD348A0329

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

File created: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C271E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Memory allocated: 20C40B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB27F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 1CB419A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224AB630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Memory allocated: 224C3630000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe TID: 3856

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RuntimeBroker.exe, 00000003.00000002.3327179086.00000224A9AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Lo
Source: SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe, 00000000.00000002.2081479409.0000020C27101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: RuntimeBroker.exe, 00000002.00000002.3328327285.000001CB41F21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Process created: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1417470
Product:	CloudBasic
Start time:	11:37:15
Start date:	29.03.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	04c989d29336fb35d0acf623b8bcf64c
SHA1:	67c95f5de71452deb7843c9ac2880340c50e4a28
SHA256:	ad132be05b5588ba7a292e3ae2faab0401f5380bbd4796483d45df99dc1500e9
Filetype:	Win64 Executable GUI Net Framework (217006/5) 47.53%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe.log	CSV text	D8F8A79B5C09FCB6F44E8CFFF11BF7CA	669AFE705130C81BFEFECD7CC216E6E10E72CB81	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
C:\Users\user\AppData\Roaming\Local\.microsoft\Microsoft.Win32.TaskScheduler.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A844AC745A4005FBD3F51D79FF88583C	92671774FD4BE9781A77D2788A8DDDBF8981EAD5	74FE1A6A1E36BE7D893E31BBB4D4BD83BF4B927E715276CD5607982139818EBD
C:\Users\user\AppData\Roaming\Local\.microsoft\Newtonsoft.Json.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	195FFB7167DB3219B217C4FD439EEDD6	1E76E6099570EDE620B76ED47CF8D03A936D49F8	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	04C989D29336FB35D0ACF623B8BCF64C	67C95F5DE71452DEB7843C9AC2880340C50E4A28	AD132BE05B5588BA7A292E3AE2FAAB0401F5380BBD4796483D45DF99DC1500E9
C:\Users\user\AppData\Roaming\Local\.microsoft\RuntimeBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.26783.2877.exe