File name:	RuntimeBroker.exe
Full analysis:	https://app.any.run/tasks/877d8786-0d26-4ac8-9fdc-661fdeee0826
Verdict:	Malicious activity
Analysis date:	July 17, 2025, 14:27:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	A5866C018192D944C652D8F1259B1EF1
SHA1:	C2BE04E0C789B8D858C1886AC7E366E0ED2B621E
SHA256:	B2DB33FDCB12889BF6F6BD8CE829CFFF53261CF5F6F3CB294096708C4C507941
SSDEEP:	49152:R+o7RPY2uikNeRyd72MlsLDil92m3GjNsz/3DgZyFWtEhI/fsbWbzqhLoGdGIHHP:62uiieRyd72QsLDil92m3GJEDgqWu7

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:03:12 16:16:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	3261952
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x31e41e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.1.1.1
ProductVersionNumber:	1.1.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	RuntimeBroker
FileVersion:	1.1.1.1
InternalName:	-
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	-
ProductName:	-
ProductVersion:	1.1.1.1
AssemblyVersion:	1.1.1.1


(PID) Process:	(3832) RuntimeBroker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(7080) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(4664) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(3160) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(5708) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(1212) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(2292) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(4788) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(2192) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"
(PID) Process:	(3148) Runtime Broker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	RuntimeBroker
Value: "C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe"

PID	Process	Filename		Type
7080	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\DycfSvpgj9n4.bat		text
		MD5:405E81B4047B0DDE6A1E9A9637E01BE4	SHA256:18AB44CB381F47B5C390C0B967E342B148C86119117BDA4807580E57BD92E8CE
3832	RuntimeBroker.exe	C:\Users\admin\AppData\Roaming\SubDir\Runtime Broker.exe		executable
		MD5:A5866C018192D944C652D8F1259B1EF1	SHA256:B2DB33FDCB12889BF6F6BD8CE829CFFF53261CF5F6F3CB294096708C4C507941
5188	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\b0fsZmUs3eZV.bat		text
		MD5:ED0C23F184DB28EB305CE08416DD104F	SHA256:31DAA28DBD9D8D88516AD2495BFC3F56788EAD766953BE2D24E3B3406C86AF38
1216	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\JUCVa9r2vkWC.bat		text
		MD5:9426FD36A74B7533FCCCB88DA4E6FB85	SHA256:1F4CFEA26020652568F8F74EF883010E932E13D9A08BCA4BCE01EFBE1ABC8082
6676	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\UxbR6lzKM3pr.bat		text
		MD5:DCC284B626F8EAD78725815D295A5667	SHA256:184CB3ACCDB342E375384F93D194F862AECD0DBBE221129AE1A8FE70FDB01EC0
3148	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\clGHuTSPGw0j.bat		text
		MD5:4A37E4D6D112FB99A59264698A1D6BAE	SHA256:CD3976B572D82D7777F72C970EE3D2970F17A912E46EF98C232E58DBF809756B
2192	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\aZ01oZ2L18sm.bat		text
		MD5:E3F50CCD94869452BECD1008EE544FA9	SHA256:C8FC9CF4754D5E95B48907922DE845A12BC17E0940067025937D57BDA6711174
4692	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\46t5yhYLTc7e.bat		text
		MD5:A1CD0D5B0264462A17D4F1E5DBE1B0B0	SHA256:D4FF9DC503786025D1420FE41C1A81FFBA4F504E33E395E219D7E1F26745022B
4400	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\yOEc62ty7QX6.bat		text
		MD5:FC79FAB6B994217DED98AD9AB8016634	SHA256:984B8C8078DA0DC91ECAB8068ED240277C3BD886690216ADC32E5246D3446B5F
512	Runtime Broker.exe	C:\Users\admin\AppData\Local\Temp\8tdOjfRfrjAS.bat		text
		MD5:B392E42AE5A1871E53D0F11F594A3B74	SHA256:D51AD2967219CDA579840E93DDB6C232B0C94B369E5099334CE9BBFD87B12A93

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5348	RUXIMICS.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5348	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.72.205.209:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5348	RUXIMICS.exe	20.72.205.209:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1268	svchost.exe	20.72.205.209:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5348	RUXIMICS.exe	23.55.110.211:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5348	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
crl.microsoft.com	23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
settings-win.data.microsoft.com	52.167.17.97	whitelisted
self.events.data.microsoft.com	13.89.179.11	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

RuntimeBroker.exe

A5866C018192D944C652D8F1259B1EF1

C2BE04E0C789B8D858C1886AC7E366E0ED2B621E

B2DB33FDCB12889BF6F6BD8CE829CFFF53261CF5F6F3CB294096708C4C507941

49152:R+o7RPY2uikNeRyd72MlsLDil92m3GjNsz/3DgZyFWtEhI/fsbWbzqhLoGdGIHHP:62uiieRyd72QsLDil92m3GJEDgqWu7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Runs PING.EXE to delay simulation

The executable file from the user directory is run by the CMD process

INFO

Reads the machine GUID from the registry

Reads Environment values

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Launching a file from a Registry key

Create files in a temporary directory

Process checks computer location settings

Manual execution by a user

Changes the display of characters in the console

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings