Edit tour

Windows Analysis Report
MicrosoftEdgeUpdate.exe

Overview

General Information

Sample name:	MicrosoftEdgeUpdate.exe
Analysis ID:	1432222
MD5:	c019e421d9f897108e51666cbae2c8b0
SHA1:	3d26b0dc519e04999118f4a02ea8acd5f1db8feb
SHA256:	3096d8e82917a9b73f322f4b1743e52e9b0c8b3c5933a957e73e29d6973cdd5b
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Monitors registry run keys for changes

Contains capabilities to detect virtual machines

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

MicrosoftEdgeUpdate.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe" MD5: C019E421D9F897108E51666CBAE2C8B0)

Taskmgr.exe (PID: 6672 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

Taskmgr.exe (PID: 1544 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: MicrosoftEdgeUpdate.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MicrosoftEdgeUpdate.exe

Static PE information: certificate valid

Source: MicrosoftEdgeUpdate.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.m
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsPk
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.co

Source: MicrosoftEdgeUpdate.exe, 00000000.00000000.1109659146.00000000004BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Source: MicrosoftEdgeUpdate.exe	Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe

Source: MicrosoftEdgeUpdate.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean22.winEXE@3/1@0/0

Source: C:\Windows\System32\Taskmgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b

Source: MicrosoftEdgeUpdate.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4

Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: MicrosoftEdgeUpdate.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MicrosoftEdgeUpdate.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: MicrosoftEdgeUpdate.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Boot Survival

Monitors registry run keys for changes

Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition/
Source: Taskmgr.exe, 0000000E.00000003.1475341722.000001C7EFB9B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFB9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V Heartbeat Service
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Volume Shadow Copy Requestor&
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000000
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor8
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service*
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition$'-"
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.syszU
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V nyyempmfbiidaux Bus3
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service$
Source: Taskmgr.exe, 0000000E.00000003.1475341722.000001C7EFB9B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionz_
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorF
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor,
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdownSubSyst
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitionx
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service\|x
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorO
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui\|
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes%
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZHyper-V Remote Desktop Virtualization Service
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EFAA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V nyyempmfbiidaux Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000^
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Hyper-V Guest Shutdown Service@
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorXG
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F0188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk DeviceZ
Source: Taskmgr.exe, 0000000E.00000002.2381381348.000001C7F021F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Time Synchronization Service&
Source: Taskmgr.exe, 0000000E.00000002.2377809703.000001C7EF980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MicrosoftEdgeUpdate.exe	0%	ReversingLabs
MicrosoftEdgeUpdate.exe	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://go.microsoft.c	0%	URL Reputation	safe
http://go.microsoft.c	0%	URL Reputation	safe
http://go.m	0%	Avira URL Cloud	safe
http://go.microsPk	0%	Avira URL Cloud	safe
http://go.microsoft.co	0%	Avira URL Cloud	safe
http://go.microsoft.co	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.m	Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsPk	Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsoft.co	Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://go.microsoft.c	Taskmgr.exe, 0000000E.00000003.1472545843.000001C7EFB84000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1473390487.000001C7EFBA9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432222
Start date and time:	2024-04-26 17:48:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MicrosoftEdgeUpdate.exe
Detection:	CLEAN
Classification:	clean22.winEXE@3/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Joe Sandbox View / Context

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Download File

Process:	C:\Windows\System32\Taskmgr.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:R:R
MD5:	F49655F856ACB8884CC0ACE29216F511
SHA1:	CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
SHA-256:	7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
SHA-512:	599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	EERF

Instruction
call 00007F36FCE00C45h
jmp 00007F36FCE006FFh
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F36FCE008DDh
mov dword ptr [esi], 004011B4h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004011BCh
mov dword ptr [ecx], 004011B4h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F36FCE008AAh
mov dword ptr [esi], 004011D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00406E10h
mov dword ptr [ecx], 004011D0h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00401194h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F36FCE02D5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00401194h
push eax
call 00007F36FCE02DA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00401194h
push eax
call 00007F36FCE02D91h
test byte ptr [ebp+08h], 00000001h

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c150	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x17110	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x32400	0x23a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x143c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7514	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c000	0x14c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x19024	0x60	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18100	0x18200	e16802b266e214beb8b7976b23c81712	False	0.5424425194300518	Matlab v4 mat-file (little endian) \|\264@, numeric, rows 4240516, columns 0	6.354561953363584	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x1698	0xc00	66a41492c66ae3891e26393c70d5b0be	False	0.17252604166666666	data	2.551462668407192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1c000	0x8c2	0xa00	c665dfc84f9a5d4e881b2d498e8f163d	False	0.4203125	data	5.03422162536055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x17110	0x17200	0187706d95de95869a5b94fd714ee472	False	0.07183277027027027	data	3.9211552458320087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x143c	0x1600	d805d7e598f8f9da8a71e774a51b4eb8	False	0.7212357954545454	data	6.367622959465254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1e040	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.6317567567567568
RT_ICON	0x1e168	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.5823699421965318
RT_ICON	0x1e6d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.5120967741935484
RT_ICON	0x1e9b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5455776173285198
RT_ICON	0x1f260	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.36341463414634145
RT_ICON	0x1f8c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42350746268656714
RT_GROUP_ICON	0x20770	0x5a	data	English	United States	0.7333333333333333
RT_VERSION	0x33d68	0x3a8	data			0.41346153846153844
RT_VERSION	0x20b68	0x398	OpenPGP Public Key	Arabic	Saudi Arabia	0.40869565217391307
RT_VERSION	0x20f00	0x398	OpenPGP Public Key	Bulgarian	Bulgaria	0.4097826086956522
RT_VERSION	0x21630	0x398	OpenPGP Public Key	Catalan	Spain	0.4097826086956522
RT_VERSION	0x2c670	0x39c	data	Chinese	Taiwan	0.4145021645021645
RT_VERSION	0x219c8	0x398	OpenPGP Public Key	Czech	Czech Republic	0.4097826086956522
RT_VERSION	0x21d60	0x398	OpenPGP Public Key	Danish	Denmark	0.4076086956521739
RT_VERSION	0x220f8	0x398	OpenPGP Public Key	German	Germany	0.4097826086956522
RT_VERSION	0x22490	0x398	OpenPGP Public Key	Greek	Greece	0.40869565217391307
RT_VERSION	0x22828	0x398	OpenPGP Public Key	English	United States	0.4076086956521739
RT_VERSION	0x23dc8	0x398	OpenPGP Public Key	Finnish	Finland	0.4097826086956522
RT_VERSION	0x244f8	0x398	OpenPGP Public Key	French	France	0.4097826086956522
RT_VERSION	0x261b8	0x398	OpenPGP Public Key	Hebrew	Israel	0.4097826086956522
RT_VERSION	0x25358	0x398	OpenPGP Public Key	Hungarian	Hungary	0.4097826086956522
RT_VERSION	0x25a88	0x398	OpenPGP Public Key	Icelandic	Iceland	0.4097826086956522
RT_VERSION	0x25e20	0x398	OpenPGP Public Key	Italian	Italy	0.4097826086956522
RT_VERSION	0x26550	0x398	OpenPGP Public Key	Japanese	Japan	0.40869565217391307
RT_VERSION	0x26c80	0x398	OpenPGP Public Key	Korean	North Korea	0.4097826086956522
RT_VERSION	0x26c80	0x398	OpenPGP Public Key	Korean	South Korea	0.4097826086956522
RT_VERSION	0x285a8	0x398	OpenPGP Public Key	Dutch	Netherlands	0.4097826086956522
RT_VERSION	0x28210	0x398	OpenPGP Public Key	Norwegian	Norway	0.4097826086956522
RT_VERSION	0x28940	0x398	OpenPGP Public Key	Polish	Poland	0.4097826086956522
RT_VERSION	0x28cd8	0x39c	data	Portuguese	Brazil	0.4145021645021645
RT_VERSION	0x29418	0x398	OpenPGP Public Key	Romanian	Romania	0.4076086956521739
RT_VERSION	0x297b0	0x398	OpenPGP Public Key	Russian	Russia	0.4097826086956522
RT_VERSION	0x24fc0	0x398	OpenPGP Public Key	Croatian	Croatia	0.4097826086956522
RT_VERSION	0x29b48	0x398	OpenPGP Public Key	Slovak	Slovakia	0.4097826086956522
RT_VERSION	0x327a8	0x398	OpenPGP Public Key	Albanian	Albania	0.4097826086956522
RT_VERSION	0x2a610	0x398	OpenPGP Public Key	Swedish	Sweden	0.4097826086956522
RT_VERSION	0x2b0d8	0x398	OpenPGP Public Key	Thai	Thailand	0.4097826086956522
RT_VERSION	0x2b470	0x398	OpenPGP Public Key	Turkish	Turkey	0.4076086956521739
RT_VERSION	0x2bba0	0x398	OpenPGP Public Key	Urdu	Pakistan	0.40869565217391307
RT_VERSION	0x2bba0	0x398	OpenPGP Public Key	Urdu	India	0.40869565217391307
RT_VERSION	0x256f0	0x398	OpenPGP Public Key	Indonesian	Indonesia	0.4097826086956522
RT_VERSION	0x2b808	0x398	OpenPGP Public Key	Ukrainian	Ukrain	0.4097826086956522
RT_VERSION	0x29ee0	0x398	OpenPGP Public Key	Slovenian	Slovenia	0.40869565217391307
RT_VERSION	0x23698	0x398	OpenPGP Public Key	Estonian	Estonia	0.40869565217391307
RT_VERSION	0x273b0	0x398	OpenPGP Public Key	Latvian	Lativa	0.4097826086956522
RT_VERSION	0x27018	0x398	OpenPGP Public Key	Lithuanian	Lithuania	0.4097826086956522
RT_VERSION	0x23a30	0x398	OpenPGP Public Key	Farsi	Iran	0.4097826086956522
RT_VERSION	0x23a30	0x398	OpenPGP Public Key	Farsi	Afganistan	0.4097826086956522
RT_VERSION	0x23a30	0x398	OpenPGP Public Key	Farsi	Tajikistan	0.4097826086956522
RT_VERSION	0x23a30	0x398	OpenPGP Public Key	Farsi	Uzbekistan	0.4097826086956522
RT_VERSION	0x2bf38	0x398	OpenPGP Public Key	Vietnamese	Vietnam	0.4097826086956522
RT_VERSION	0x2d140	0x398	OpenPGP Public Key	Azeri	Italy	0.4097826086956522
RT_VERSION	0x2e358	0x398	OpenPGP Public Key	Basque	France	0.4076086956521739
RT_VERSION	0x2e358	0x398	OpenPGP Public Key	Basque	Spain	0.4076086956521739
RT_VERSION	0x30e80	0x398	OpenPGP Public Key	FYRO Macedonia	Macedonia	0.4097826086956522
RT_VERSION	0x2ca10	0x398	OpenPGP Public Key	Afrikaans	South Africa	0.40869565217391307
RT_VERSION	0x2ca10	0x398	OpenPGP Public Key	Afrikaans	Namibia	0.40869565217391307
RT_VERSION	0x2f558	0x398	OpenPGP Public Key	Georgian	Georgia	0.40869565217391307
RT_VERSION	0x24c28	0x398	OpenPGP Public Key	Hindi	India	0.4097826086956522
RT_VERSION	0x31218	0x398	OpenPGP Public Key	Maltese	Malta	0.4097826086956522
RT_VERSION	0x27e78	0x398	OpenPGP Public Key	Malay	Malaysia	0.4076086956521739
RT_VERSION	0x2f8f0	0x398	OpenPGP Public Key	Kazakh	Kazakhstan	0.40869565217391307
RT_VERSION	0x33638	0x398	OpenPGP Public Key	Tatar	Russia	0.4097826086956522
RT_VERSION	0x2d4d8	0x39c	data	Bengali	India	0.4134199134199134
RT_VERSION	0x32078	0x398	OpenPGP Public Key	Punjabi	Pakistan	0.40869565217391307
RT_VERSION	0x32078	0x398	OpenPGP Public Key	Punjabi	India	0.40869565217391307
RT_VERSION	0x24890	0x398	OpenPGP Public Key	Gujarati	India	0.4076086956521739
RT_VERSION	0x31ce0	0x398	OpenPGP Public Key	Oriya	India	0.4076086956521739
RT_VERSION	0x2a9a8	0x398	OpenPGP Public Key	Tamil	India	0.4097826086956522
RT_VERSION	0x2a9a8	0x398	OpenPGP Public Key	Tamil	Sri Lanka	0.4097826086956522
RT_VERSION	0x2ad40	0x398	OpenPGP Public Key	Telugu	India	0.40869565217391307
RT_VERSION	0x268e8	0x398	OpenPGP Public Key	Kannada	Kanada	0.4097826086956522
RT_VERSION	0x27748	0x398	OpenPGP Public Key	Malayalam	India	0.4097826086956522
RT_VERSION	0x2cda8	0x398	OpenPGP Public Key	Assamese	India	0.40869565217391307
RT_VERSION	0x27ae0	0x398	OpenPGP Public Key	Marathi	India	0.4097826086956522
RT_VERSION	0x2dfc0	0x398	OpenPGP Public Key	Welsh	England	0.4097826086956522
RT_VERSION	0x2fc88	0x398	OpenPGP Public Key	Khmer	Vietnam	0.40869565217391307
RT_VERSION	0x2fc88	0x398	OpenPGP Public Key	Khmer	Thailand	0.40869565217391307
RT_VERSION	0x30750	0x398	OpenPGP Public Key	Lao	Laos	0.4097826086956522
RT_VERSION	0x2f1c0	0x398	OpenPGP Public Key	Galician	Italy	0.40869565217391307
RT_VERSION	0x30020	0x398	OpenPGP Public Key	Konkani	India	0.4076086956521739
RT_VERSION	0x207d0	0x398	OpenPGP Public Key	Amharic	Ethiopia	0.4076086956521739
RT_VERSION	0x315b0	0x398	OpenPGP Public Key	Nepali	Nepal	0.4097826086956522
RT_VERSION	0x24160	0x398	OpenPGP Public Key	Filipino	Philippines	0.40652173913043477
RT_VERSION	0x303b8	0x398	OpenPGP Public Key			0.4097826086956522
RT_VERSION	0x339d0	0x398	OpenPGP Public Key			0.4097826086956522
RT_VERSION	0x30ae8	0x398	OpenPGP Public Key	Maori	New Zealand	0.4097826086956522
RT_VERSION	0x2ee28	0x398	OpenPGP Public Key			0.40869565217391307
RT_VERSION	0x2dc10	0x3b0	data			0.4141949152542373
RT_VERSION	0x2c2d0	0x39c	data	Chinese	China	0.4145021645021645
RT_VERSION	0x22bc0	0x39c	data	English	Great Britain	0.4145021645021645
RT_VERSION	0x232f8	0x3a0	data	Spanish	Mexico	0.41379310344827586
RT_VERSION	0x31948	0x398	OpenPGP Public Key	Norwegian	Norway	0.40869565217391307
RT_VERSION	0x29078	0x39c	data	Portuguese	Portugal	0.4134199134199134
RT_VERSION	0x2a278	0x398	OpenPGP Public Key	Serbian	Italy	0.4097826086956522
RT_VERSION	0x2ea90	0x398	OpenPGP Public Key	Gaelic	Ireland	0.40869565217391307
RT_VERSION	0x21298	0x398	OpenPGP Public Key	Bengali	Bangladesh	0.4097826086956522
RT_VERSION	0x22f60	0x398	OpenPGP Public Key			0.40869565217391307
RT_VERSION	0x2e6f0	0x39c	data	French	Canada	0.4134199134199134
RT_VERSION	0x32410	0x398	OpenPGP Public Key			0.40869565217391307
RT_VERSION	0x2d878	0x398	OpenPGP Public Key	Bosnian	Bosnian	0.4097826086956522
RT_VERSION	0x32b40	0x3a8	data			0.41452991452991456
RT_VERSION	0x33290	0x3a8	data			0.4113247863247863
RT_VERSION	0x32ee8	0x3a8	data			0.41239316239316237
RT_MANIFEST	0x1da30	0x60c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4160206718346253

DLL	Import
KERNEL32.dll	GetModuleFileNameW, GetLastError, CloseHandle, GetProcAddress, CreateProcessW, FreeLibrary, GetTempFileNameW, LoadLibraryExW, GetCommandLineW, GetModuleHandleW, WriteConsoleW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, CreateDirectoryW, CreateFileW, DeleteFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFileInformationByHandle, RemoveDirectoryW, SetFilePointerEx, AreFileApisANSI, SetLastError, CopyFileW, MultiByteToWideChar, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCPInfo, HeapAlloc, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer
ole32.dll	CoTaskMemFree

GetModuleFileNameW, GetLastError, CloseHandle, GetProcAddress, CreateProcessW, FreeLibrary, GetTempFileNameW, LoadLibraryExW, GetCommandLineW, GetModuleHandleW, WriteConsoleW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, CreateDirectoryW, CreateFileW, DeleteFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFileInformationByHandle, RemoveDirectoryW, SetFilePointerEx, AreFileApisANSI, SetLastError, CopyFileW, MultiByteToWideChar, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCPInfo, HeapAlloc, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer

ole32.dll

CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Arabic	Saudi Arabia
Bulgarian	Bulgaria
Catalan	Spain
Chinese	Taiwan
Czech	Czech Republic
Danish	Denmark
German	Germany
Greek	Greece
Finnish	Finland
French	France
Hebrew	Israel
Hungarian	Hungary
Icelandic	Iceland
Italian	Italy
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Norwegian	Norway
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Croatian	Croatia
Slovak	Slovakia
Albanian	Albania
Swedish	Sweden
Thai	Thailand
Turkish	Turkey
Urdu	Pakistan
Urdu	India
Indonesian	Indonesia
Ukrainian	Ukrain
Slovenian	Slovenia
Estonian	Estonia
Latvian	Lativa
Lithuanian	Lithuania
Farsi	Iran
Farsi	Afganistan
Farsi	Tajikistan
Farsi	Uzbekistan
Vietnamese	Vietnam
FYRO Macedonia	Macedonia
Afrikaans	South Africa
Afrikaans	Namibia
Georgian	Georgia
Maltese	Malta
Malay	Malaysia
Kazakh	Kazakhstan
Tamil	Sri Lanka
Kannada	Kanada
Welsh	England
Lao	Laos
Amharic	Ethiopia
Nepali	Nepal
Filipino	Philippines
Maori	New Zealand
Chinese	China
English	Great Britain
Spanish	Mexico
Portuguese	Portugal
Gaelic	Ireland
Bengali	Bangladesh
French	Canada
Bosnian	Bosnian

Target ID:	0
Start time:	17:49:20
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Imagebase:	0x4a0000
File size:	214'952 bytes
MD5 hash:	C019E421D9F897108E51666CBAE2C8B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:49:55
Start date:	26/04/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:49:56
Start date:	26/04/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.631888449445425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MicrosoftEdgeUpdate.exe
File size:	214'952 bytes
MD5:	c019e421d9f897108e51666cbae2c8b0
SHA1:	3d26b0dc519e04999118f4a02ea8acd5f1db8feb
SHA256:	3096d8e82917a9b73f322f4b1743e52e9b0c8b3c5933a957e73e29d6973cdd5b
SHA512:	5aa5da738b65f820d23c01ddbafaccdef51975ce8ade4225a34e1bcc1e23235d78062cb3b7da0579f0ce1bcc3b76875f7fea1bc8c982691d3856d488e03b7e02
SSDEEP:	3072:ZgNpVWYxi/7gKNkhSC+t+MMCTs0kH+Bkx6uyXnZeiB+N6LpCcu51lviIzdXfEqMM:P7gKNkhSR/5kHouyXnZhB+h8WH3
TLSH:	14246F2233F84969F8F35E316C349F29993EBC35AE35E72E1644219E2D35A41D921B33
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...............}.......}..C....}.......y.......y.......y.......}.......}..............Hf......Hf+.......C.....Hf......Rich...

Entrypoint:	0x40b612
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x60F8C6E6 [Thu Jul 22 01:16:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e00d60405a249a05d3b09aa7fe924b17

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	15/12/2020 22:31:47 02/12/2021 22:31:47
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	1443093D80E98F18DBCFB9E721DFDE54
Thumbprint SHA-1:	C774204049D25D30AF9AC2F116B3C1FB88EE00A4
Thumbprint SHA-256:	88FBD83CDEDDB75CCDA592E59B6F5CE0932C0AFDA61F446C6C950E508B2818E6
Serial:	33000001E2F17D92020E49F87F0000000001E2

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MicrosoftEdgeUpdate.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: MicrosoftEdgeUpdate.exePID: 6956, Parent PID: 4380

General

Chronological Activities

Analysis Process: Taskmgr.exePID: 6672, Parent PID: 4380

General

Chronological Activities

Analysis Process: Taskmgr.exePID: 1544, Parent PID: 4380

General

Windows Analysis Report
MicrosoftEdgeUpdate.exe