Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RuntimeBroker' = '"%APPDATA%\RuntimeBroker\RuntimeBroker.exe"'
- %APPDATA%\runtimebroker\runtimebroker.exe
- '77.##2.41.206':80
- '21#.#7.199.180':443
- '21#.#7.199.143':443
- '19#.#0.195.2':443
- '21#.#7.199.162':443
- '78.#4.199.2':443
- '78.##.199.20':443
- 'microsoft.com':80
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://77.##2.41.206/bcaa8752-51ff-4e35-8ef9-4aefbf42b482/update/da36ad5b-8de9-4c5d-8cd6-badb71d5e1c7?id#######################################################################################
- '19#.#0.195.2':443
- '78.#4.199.2':443
- '78.##.199.20':443
- DNS ASK microsoft.com
- '%APPDATA%\runtimebroker\runtimebroker.exe'
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & del "<Full path to file>"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & start "" "%APPDATA%\RuntimeBroker\RuntimeBroker.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & start "" "%APPDATA%\RuntimeBroker\RuntimeBroker.exe"
- '<SYSTEM32>\cmd.exe' /C choice /C Y /N /D Y /T 3 & del "<Full path to file>"
- '<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3