RuntimeBroker.exe

  • File Path: C:\WINDOWS\system32\RuntimeBroker.exe
  • Description: Runtime Broker

Hashes

Type Hash
MD5 6CFF0673CE2002A2FE2218642605187A
SHA1 7AE43B9B9DF5C5B8C0B26C36FF02557CEEF13E27
SHA256 5E979C34A5FEB14ED18F36E956B0614FF305C8596DD01571A2EBABDC8131CE77
SHA384 B7F7043162A613F4DD24B3A92B517E5493F8C0CC5770E19EB3FB19D8B80CDC1B28374F06CE3EDEE61A667A5A7B34ADAB
SHA512 996777FF3A7A8994FAC8A7768F315F56DEE33CFBF8C5995924607EF2DD0A7FD1A18348DFAD98A61099FED7044BD402A5C163A06207BA7648D0B30EB65C095894
SSDEEP 1536:px4++Y9uxyixRfAuiyJw8rFk2xh7kwMLnjCdF/o9o+J2EmSlV0ls/XiVepP3T2:p6+oxRrim0LeX/ooQ2en0wiVuL2

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RuntimeBroker.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of RuntimeBroker.exe being misused. While RuntimeBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\RuntimeBroker.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\runtimebroker.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml TargetFilename\|endswith: '\RuntimeBroker.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\RuntimeBroker.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - TargetImage: 'C:\Windows\System32\RuntimeBroker.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\RuntimeBroker.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.