Windows Analysis Report
MicrosoftEdgeUpdate.exe

Overview

General Information

Sample name: MicrosoftEdgeUpdate.exe
Analysis ID: 1432222
MD5: c019e421d9f897108e51666cbae2c8b0
SHA1: 3d26b0dc519e04999118f4a02ea8acd5f1db8feb
SHA256: 3096d8e82917a9b73f322f4b1743e52e9b0c8b3c5933a957e73e29d6973cdd5b
Infos:

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Monitors registry run keys for changes
Contains capabilities to detect virtual machines
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: MicrosoftEdgeUpdate.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MicrosoftEdgeUpdate.exe Static PE information: certificate valid
Source: MicrosoftEdgeUpdate.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.m
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsPk
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.co
Sample file is different than original file name gathered from version info
Source: MicrosoftEdgeUpdate.exe, 00000000.00000000.1109659146.00000000004BC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Source: MicrosoftEdgeUpdate.exe Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Uses 32bit PE files
Source: MicrosoftEdgeUpdate.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean22.winEXE@3/1@0/0
Source: C:\Windows\System32\Taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: MicrosoftEdgeUpdate.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Window found: window name: SysTabControl32 Jump to behavior
Source: MicrosoftEdgeUpdate.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MicrosoftEdgeUpdate.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\Taskmgr.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition/
Source: Taskmgr.exe, 0000000E.00000003.1475341722.000001C7EFB9B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFB9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V Heartbeat Service
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Volume Shadow Copy Requestor&
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0188000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000000
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor8
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service*
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition$'-"
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.syszU
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V nyyempmfbiidaux Bus3
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service$
Source: Taskmgr.exe, 0000000E.00000003.1475341722.000001C7EFB9B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionz_
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorF
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor,
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdownSubSyst
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partitionx
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service|x
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorO
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.mui|
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes%
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ZHyper-V Remote Desktop Virtualization Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V nyyempmfbiidaux Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000^
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <Hyper-V Guest Shutdown Service@
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisorXG
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0188000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk DeviceZ
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Time Synchronization Service&
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432222 Sample: MicrosoftEdgeUpdate.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 0 4 Taskmgr.exe 2 13 2->4         started        7 MicrosoftEdgeUpdate.exe 2->7         started        9 Taskmgr.exe 2->9         started        signatures3 11 Monitors registry run keys for changes 4->11
No contacted IP infos