Loading ...

Play interactive tourEdit tour

Windows Analysis Report Runtime Broker.exe

Overview

General Information

Sample Name:Runtime Broker.exe
Analysis ID:528970
MD5:abc7a9c5b732b72a8f47fd85ee638c09
SHA1:9876415085f95c02d6bcea9b1fc990d5b5c50d1c
SHA256:d9ebb6958afcd1907651487062108ec56a2af9eb935f2437156584081cb56b2f
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found dropped PE file which has not been started or loaded
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Runtime Broker.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\Runtime Broker.exe" MD5: ABC7A9C5B732B72A8F47FD85EE638C09)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Runtime Broker.exeVirustotal: Detection: 36%Perma Link
Source: Runtime Broker.exeReversingLabs: Detection: 33%
Machine Learning detection for sampleShow sources
Source: Runtime Broker.exeJoe Sandbox ML: detected
Source: Runtime Broker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\LICENSE.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\license.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\readme.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\README.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\README.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\README.txtJump to behavior
Source: Runtime Broker.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\A\18\s\PCbuild\win32\_asyncio.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb1" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\authorization.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: MFCM140U.i386.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_ssl.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: debugger_parent=pdb.Pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdbP source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdbM! source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_multiprocessing.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb%% source: nsg2001.tmp.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_tkinter.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\ifilter.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb! source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb3" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_queue.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb/% source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb9 source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_msi.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_sqlite3.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.0.dr, nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb},# source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:53:43 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_bz2.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb* source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_overlapped.pdb source: _overlapped.pyd.0.dr, nsg2001.tmp.0.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdbOO source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb,&" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packagesJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\LibJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hackJump to behavior
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://192.168.0.1/Python/interrupt/test.asp
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://192.168.0.1/Python/interrupt/test1.asp
Source: tcl86t.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: tcl86t.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://badge.fury.io/py/idna
Source: contextlib2.py.0.drString found in binary or memory: http://bugs.python.org/issue12029
Source: contextlib2.py.0.drString found in binary or memory: http://bugs.python.org/issue13585
Source: contextlib2.py.0.drString found in binary or memory: http://bugs.python.org/issue19404
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: compat.py1.0.drString found in binary or memory: http://code.activestate.com/recipes/576693/
Source: tcl86t.dll.0.drString found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
Source: tcl86t.dll.0.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nsg2001.tmp.0.drString found in binary or memory: http://hdl.handle.net/1895.22/1013
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://iana.org/
Source: Runtime Broker.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: tcl86t.dll.0.drString found in binary or memory: http://ocsp.startssl.com00
Source: tcl86t.dll.0.drString found in binary or memory: http://ocsp.startssl.com07
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://pages.cpsc.ucalgary.ca/~saul/vb_examples/tutorial12/
Source: python37.dll.0.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: __init__.py23.0.drString found in binary or memory: http://sourceforge.net/projects/adodbapi
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://starship.python.net/crew/mhammond/win32/PrivacyProblem.html
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc3490
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5891
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5895
Source: compat.py1.0.drString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: http://unicode.org/reports/tr46/
Source: distro.py.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsg2001.tmp.0.drString found in binary or memory: http://www.cnri.reston.va.us)
Source: nsg2001.tmp.0.drString found in binary or memory: http://www.cwi.nl)
Source: distro.py.0.drString found in binary or memory: http://www.freedesktop.org/software/systemd/man/os-release.html
Source: chardistribution.py.0.dr, chardistribution.py0.0.drString found in binary or memory: http://www.mozilla.org/projects/intl/UniversalCharsetDetection.html
Source: nsg2001.tmp.0.drString found in binary or memory: http://www.opensource.org
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org/favicon.ico
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.python.org/missing-favicon.ico
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.pythoncom-test.com/bar
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.pythoncom-test.com/foo
Source: nsg2001.tmp.0.drString found in binary or memory: http://www.pythonlabs.com/logos.html
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: http://www.scintilla.org)
Source: tcl86t.dll.0.drString found in binary or memory: http://www.startssl.com/0P
Source: tcl86t.dll.0.drString found in binary or memory: http://www.startssl.com/policy0
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: https://badge.fury.io/py/idna.svg
Source: distro.py.0.drString found in binary or memory: https://bugs.python.org/issue1322
Source: logging.py.0.drString found in binary or memory: https://bugs.python.org/issue19612
Source: logging.py.0.drString found in binary or memory: https://bugs.python.org/issue30418
Source: pyparsing.py.0.drString found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: pyparsing.py.0.drString found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: pyparsing.py.0.drString found in binary or memory: https://docs.python.org/3/library/re.html
Source: pyparsing.py.0.drString found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kjd/idna
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
Source: distro.py.0.drString found in binary or memory: https://github.com/nir0s/distro/issues/162
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://github.com/psf/requests/issues/3578.
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://github.com/psf/requests/pull/2238
Source: spinners.py.0.drString found in binary or memory: https://github.com/pypa/pip/issues/3418
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pypa/pip/issues/7498.
Source: install.py0.0.drString found in binary or memory: https://github.com/pypa/pip/issues/new
Source: prepare.py.0.drString found in binary or memory: https://github.com/pypa/pip/pull/6770
Source: pyparsing.py.0.drString found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: logging.py.0.drString found in binary or memory: https://github.com/python/mypy/issues/1297
Source: logging.py.0.drString found in binary or memory: https://github.com/python/mypy/issues/3500
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://httpbin.org/get
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://httpbin.org/post
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://requests.readthedocs.io
Source: pyparsing.py.0.drString found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://stackoverflow.com/questions/45138084/pythonwin-occasionally-gives-an-error-on-opening
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: https://travis-ci.org/kjd/idna
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpString found in binary or memory: https://travis-ci.org/kjd/idna.svg?branch=master
Source: cacert.pem0.0.drString found in binary or memory: https://www.catcert.net/verarrel
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpString found in binary or memory: https://www.python.org
Source: cache.py2.0.drString found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: Runtime Broker.exe, Runtime Broker.exe, 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0566/#id17.
Source: nsg2001.tmp.0.drString found in binary or memory: https://www.python.org/psf/)
Source: unknownDNS traffic detected: queries for: google.com
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E3
Source: Runtime Broker.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: python3.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePyISAPI_loader.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMFC140U.DLL^ vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMFCM140U.DLL^ vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScintilla.DLL4 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewin32ui.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewin32uiole.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepythoncom37.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepywintypes37.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameadsi.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameauthorization.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaxcontrol.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaxdebug.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaxscript.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebits.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedirectsound.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameifilter.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameinternet.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemapi.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Runtime Broker.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Runtime Broker.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: python.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: python.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pythonw.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pythonw.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00406C5B0_2_00406C5B
Source: Runtime Broker.exeVirustotal: Detection: 36%
Source: Runtime Broker.exeReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\Runtime Broker.exeFile read: C:\Users\user\Desktop\Runtime Broker.exeJump to behavior
Source: Runtime Broker.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Runtime Broker.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update ServiceJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Users\user\AppData\Local\Temp\nsw1FC2.tmpJump to behavior
Source: classification engineClassification label: mal52.winEXE@1/404@4/0
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
Source: C:\Users\user\Desktop\Runtime Broker.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404983
Source: Runtime Broker.exeStatic file information: File size 18595672 > 1048576
Source: Runtime Broker.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\A\18\s\PCbuild\win32\_asyncio.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb1" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\authorization.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: MFCM140U.i386.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_ssl.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: debugger_parent=pdb.Pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdbP source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdbM! source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_multiprocessing.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb%% source: nsg2001.tmp.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_tkinter.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\ifilter.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb! source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb3" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_queue.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb/% source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb9 source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_msi.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_sqlite3.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.0.dr, nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb},# source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:53:43 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\_bz2.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb* source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_overlapped.pdb source: _overlapped.pyd.0.dr, nsg2001.tmp.0.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source: Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source: Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdbOO source: nsg2001.tmp.0.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb,&" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source: Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: vcruntime140.dll.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\PyISAPI_loader.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\python.exeJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\mfc140u.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_asyncio.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\winsound.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\python3.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_overlapped.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_tkinter.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\ucrtbase.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_elementtree.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_queue.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\python37.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_msi.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\pythonw.exeJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_sqlite3.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\tk86t.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\tcl86t.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\LICENSE.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\license.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\readme.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\README.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\README.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\README.txtJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\PyISAPI_loader.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python.exeJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\mfc140u.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_asyncio.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\winsound.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python3.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_overlapped.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_tkinter.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_elementtree.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_queue.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python37.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_msi.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\pythonw.exeJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_sqlite3.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\tk86t.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\tcl86t.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeDropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_0040689A FindFirstFileW,FindClose,0_2_0040689A
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4E
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
Source: C:\Users\user\Desktop\Runtime Broker.exeAPI call chain: ExitProcess graph end nodegraph_0-3549
Source: C:\Users\user\Desktop\Runtime Broker.exeAPI call chain: ExitProcess graph end nodegraph_0-3376
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packagesJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\LibJump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exeFile opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hackJump to behavior
Source: cacert.pem0.0.drBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Runtime Broker.exeCode function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004035D8

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection1Access Token Manipulation1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSFile and Directory Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet