| File name: | RuntimeBroker.exe |
| Full analysis: | https://app.any.run/tasks/877d8786-0d26-4ac8-9fdc-661fdeee0826 |
| Verdict: | Malicious activity |
| Analysis date: | July 17, 2025, 14:27:11 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | A5866C018192D944C652D8F1259B1EF1 |
| SHA1: | C2BE04E0C789B8D858C1886AC7E366E0ED2B621E |
| SHA256: | B2DB33FDCB12889BF6F6BD8CE829CFFF53261CF5F6F3CB294096708C4C507941 |
| SSDEEP: | 49152:R+o7RPY2uikNeRyd72MlsLDil92m3GjNsz/3DgZyFWtEhI/fsbWbzqhLoGdGIHHP:62uiieRyd72QsLDil92m3GJEDgqWu7 |
MALICIOUS
Changes the autorun value in the registry
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
SUSPICIOUS
Executable content was dropped or overwritten
- RuntimeBroker.exe (PID: 3832)
Starts itself from another location
- RuntimeBroker.exe (PID: 3832)
Executing commands from a ".bat" file
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
Starts CMD.EXE for commands execution
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
Starts application with an unusual extension
- cmd.exe (PID: 2504)
- cmd.exe (PID: 3740)
- cmd.exe (PID: 1352)
- cmd.exe (PID: 4264)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 5768)
- cmd.exe (PID: 6812)
- cmd.exe (PID: 5780)
- cmd.exe (PID: 4748)
- cmd.exe (PID: 4512)
- cmd.exe (PID: 5348)
- cmd.exe (PID: 5244)
- cmd.exe (PID: 3936)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 4080)
- cmd.exe (PID: 1660)
- cmd.exe (PID: 640)
- cmd.exe (PID: 4412)
- cmd.exe (PID: 6312)
- cmd.exe (PID: 6860)
- cmd.exe (PID: 6820)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 6388)
- cmd.exe (PID: 1056)
- cmd.exe (PID: 6472)
- cmd.exe (PID: 7056)
Reads security settings of Internet Explorer
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 2504)
- cmd.exe (PID: 3740)
- cmd.exe (PID: 1352)
- cmd.exe (PID: 4264)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 5768)
- cmd.exe (PID: 5780)
- cmd.exe (PID: 6812)
- cmd.exe (PID: 4748)
- cmd.exe (PID: 4512)
- cmd.exe (PID: 5244)
- cmd.exe (PID: 5348)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 3936)
- cmd.exe (PID: 4080)
- cmd.exe (PID: 1660)
- cmd.exe (PID: 640)
- cmd.exe (PID: 4412)
- cmd.exe (PID: 6312)
- cmd.exe (PID: 6860)
- cmd.exe (PID: 6820)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 6388)
- cmd.exe (PID: 1056)
- cmd.exe (PID: 6472)
- cmd.exe (PID: 7056)
Reads the date of Windows installation
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
The executable file from the user directory is run by the CMD process
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
INFO
Creates files or folders in the user directory
- RuntimeBroker.exe (PID: 3832)
Checks supported languages
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 7080)
- chcp.com (PID: 6236)
- Runtime Broker.exe (PID: 4664)
- chcp.com (PID: 4320)
- Runtime Broker.exe (PID: 3160)
- chcp.com (PID: 4460)
- Runtime Broker.exe (PID: 5708)
- chcp.com (PID: 4984)
- Runtime Broker.exe (PID: 1212)
- chcp.com (PID: 1740)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- chcp.com (PID: 1336)
- chcp.com (PID: 5140)
- chcp.com (PID: 1936)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- chcp.com (PID: 5904)
- chcp.com (PID: 4572)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4024)
- chcp.com (PID: 4172)
- chcp.com (PID: 5616)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- chcp.com (PID: 864)
- chcp.com (PID: 2552)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- chcp.com (PID: 3112)
- Runtime Broker.exe (PID: 6676)
- chcp.com (PID: 4916)
- chcp.com (PID: 2388)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- chcp.com (PID: 1336)
- chcp.com (PID: 1944)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- chcp.com (PID: 864)
- chcp.com (PID: 4104)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- chcp.com (PID: 6732)
- Runtime Broker.exe (PID: 1244)
- chcp.com (PID: 6524)
- chcp.com (PID: 3460)
- Runtime Broker.exe (PID: 1740)
- chcp.com (PID: 2596)
- chcp.com (PID: 5684)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 4724)
- chcp.com (PID: 6600)
- Runtime Broker.exe (PID: 236)
- chcp.com (PID: 3932)
- Runtime Broker.exe (PID: 5240)
- chcp.com (PID: 5060)
- Runtime Broker.exe (PID: 4052)
Reads the computer name
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
Reads Environment values
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
Reads the machine GUID from the registry
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
- Runtime Broker.exe (PID: 4052)
Launching a file from a Registry key
- RuntimeBroker.exe (PID: 3832)
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 4052)
- Runtime Broker.exe (PID: 5240)
Create files in a temporary directory
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
Process checks computer location settings
- Runtime Broker.exe (PID: 7080)
- Runtime Broker.exe (PID: 4664)
- Runtime Broker.exe (PID: 3160)
- Runtime Broker.exe (PID: 5708)
- Runtime Broker.exe (PID: 1212)
- Runtime Broker.exe (PID: 2292)
- Runtime Broker.exe (PID: 4788)
- Runtime Broker.exe (PID: 2192)
- Runtime Broker.exe (PID: 3148)
- Runtime Broker.exe (PID: 4024)
- Runtime Broker.exe (PID: 1216)
- Runtime Broker.exe (PID: 4400)
- Runtime Broker.exe (PID: 5188)
- Runtime Broker.exe (PID: 4692)
- Runtime Broker.exe (PID: 6360)
- Runtime Broker.exe (PID: 6676)
- Runtime Broker.exe (PID: 1604)
- Runtime Broker.exe (PID: 512)
- Runtime Broker.exe (PID: 1704)
- Runtime Broker.exe (PID: 5576)
- Runtime Broker.exe (PID: 5300)
- Runtime Broker.exe (PID: 6384)
- Runtime Broker.exe (PID: 7124)
- Runtime Broker.exe (PID: 1244)
- Runtime Broker.exe (PID: 1740)
- Runtime Broker.exe (PID: 4724)
- Runtime Broker.exe (PID: 6264)
- Runtime Broker.exe (PID: 236)
- Runtime Broker.exe (PID: 5240)
Changes the display of characters in the console
- cmd.exe (PID: 2504)
- cmd.exe (PID: 3740)
- cmd.exe (PID: 1352)
- cmd.exe (PID: 4264)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 5768)
- cmd.exe (PID: 6812)
- cmd.exe (PID: 4748)
- cmd.exe (PID: 5780)
- cmd.exe (PID: 4512)
- cmd.exe (PID: 5348)
- cmd.exe (PID: 5244)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 3936)
- cmd.exe (PID: 4080)
- cmd.exe (PID: 1660)
- cmd.exe (PID: 640)
- cmd.exe (PID: 4412)
- cmd.exe (PID: 6312)
- cmd.exe (PID: 6860)
- cmd.exe (PID: 6820)
- cmd.exe (PID: 6664)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 6388)
- cmd.exe (PID: 1056)
- cmd.exe (PID: 6472)
- cmd.exe (PID: 7056)
Manual execution by a user
- Runtime Broker.exe (PID: 4664)
Checks proxy server information
- slui.exe (PID: 4552)
Reads the software policy settings
- slui.exe (PID: 4552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:03:12 16:16:39+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 3261952 |
| InitializedDataSize: | 3584 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x31e41e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.1.1 |
| ProductVersionNumber: | 1.1.1.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | RuntimeBroker |
| FileVersion: | 1.1.1.1 |
| InternalName: | - |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFileName: | - |
| ProductName: | - |
| ProductVersion: | 1.1.1.1 |
| AssemblyVersion: | 1.1.1.1 |
Total processes
279
Monitored processes
148
Malicious processes
50
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RuntimeBroker Exit code: 0 Version: 1.1.1.1 Modules
| |||||||||||||||
| 512 | "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RuntimeBroker Exit code: 0 Version: 1.1.1.1 Modules
| |||||||||||||||
| 640 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\otOmI9XKrvE4.bat" " | C:\Windows\System32\cmd.exe | — | Runtime Broker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1036 | ping -n 10 localhost | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\R3dNmq426O2S.bat" " | C:\Windows\System32\cmd.exe | — | Runtime Broker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1204 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1212 | "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RuntimeBroker Exit code: 0 Version: 1.1.1.1 Modules
| |||||||||||||||
Total events
37 140
Read events
37 109
Write events
31
Delete events
0
Modification events
| (PID) Process: | (3832) RuntimeBroker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (7080) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (4664) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (3160) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (5708) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (1212) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (2292) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (4788) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (2192) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
| (PID) Process: | (3148) Runtime Broker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | RuntimeBroker |
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe" | |||
Executable files
1
Suspicious files
0
Text files
29
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5708 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\pwlbsLPnKeq8.bat | text | |
MD5:1B0AFE57DD63D5A88A73F558C04DD444 | SHA256:8F44DDB12B2EAC8202577211B4C5CE30BFD5561444CFBA833083980D3CE91FB1 | |||
| 3832 | RuntimeBroker.exe | C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe | executable | |
MD5:A5866C018192D944C652D8F1259B1EF1 | SHA256:B2DB33FDCB12889BF6F6BD8CE829CFFF53261CF5F6F3CB294096708C4C507941 | |||
| 3148 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\clGHuTSPGw0j.bat | text | |
MD5:4A37E4D6D112FB99A59264698A1D6BAE | SHA256:CD3976B572D82D7777F72C970EE3D2970F17A912E46EF98C232E58DBF809756B | |||
| 4692 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\46t5yhYLTc7e.bat | text | |
MD5:A1CD0D5B0264462A17D4F1E5DBE1B0B0 | SHA256:D4FF9DC503786025D1420FE41C1A81FFBA4F504E33E395E219D7E1F26745022B | |||
| 4664 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\iNtc4fjNfLAJ.bat | text | |
MD5:8BC84CCF76A2CC3E7EA9E73A1408686F | SHA256:1E974D33CE8C8F020D44C394A6C83EA24A2FDC8E0EB9A804F8468B85A20891DB | |||
| 4788 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\OSNiET8Q2euT.bat | text | |
MD5:07E368FBD8E2219B798DBA7EC9E8C090 | SHA256:A75CFAFE65DAF0BC99FE6CFD67B733D3D07CEC20435B3E99E1C70345352B2B8F | |||
| 4024 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\uUYWsGrzs1nN.bat | text | |
MD5:68A3F036CE7CFB6F6FAEBD40D51CFD87 | SHA256:9E144340AF417233FEE439949C6BBE36D71BF959D2E5A51B2F293B18BF9F20A1 | |||
| 2292 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\hUOc186U1ZoJ.bat | text | |
MD5:F0B7F25E2F0CCFAA3607FFFD2C5AF3D2 | SHA256:D4781A3AA3A0DF70EA357E659EBE3F63EE278D355AB4DD44E635884C2628B529 | |||
| 1212 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\QzImijN2ccnf.bat | text | |
MD5:8BC75E18B45E1A0D063C8B3CF1EA7175 | SHA256:788E0CE2DB579A24C1D8C83846B0A53F52D285AFC635D410C346E58F126C1FF1 | |||
| 6360 | Runtime Broker.exe | C:\Users\admin\AppData\Local\Temp\0YxfeMcFvU6s.bat | text | |
MD5:47D140E0D0E250C4BC831BC7AB6CB4B0 | SHA256:5894A33CCE4C5BB0C1E0AC7E38BFB01062D6E484C378867E5B0CDDBC4C87D499 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 23.55.110.211:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5348 | RUXIMICS.exe | GET | 200 | 23.55.110.211:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.55.110.211:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5348 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 20.72.205.209:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5348 | RUXIMICS.exe | 20.72.205.209:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1268 | svchost.exe | 20.72.205.209:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.55.110.211:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.55.110.211:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5348 | RUXIMICS.exe | 23.55.110.211:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
5348 | RUXIMICS.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |