Windows Analysis Report
MicrosoftEdgeUpdate.exe

Overview

General Information

Sample name: MicrosoftEdgeUpdate.exe
Analysis ID: 1432230
MD5: b55ad19c6c110e9bf985bc8674f7bcb3
SHA1: accd3e9360bb920985f1a42ee00eda43cf6405e9
SHA256: 9991ba022173f283ee99068b708f60ac5143fe0c81c9e3673cc7835b108a4f44
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Monitors registry run keys for changes
Contains capabilities to detect virtual machines
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: MicrosoftEdgeUpdate.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MicrosoftEdgeUpdate.exe Static PE information: certificate valid
Source: MicrosoftEdgeUpdate.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025564053000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.VMq
Source: Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.fMa
Sample file is different than original file name gathered from version info
Source: MicrosoftEdgeUpdate.exe, 00000000.00000000.1115168180.0000000000BEB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Source: MicrosoftEdgeUpdate.exe Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Uses 32bit PE files
Source: MicrosoftEdgeUpdate.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus22.winEXE@3/1@0/0
Source: C:\Windows\System32\Taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: MicrosoftEdgeUpdate.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Window found: window name: SysTabControl32 Jump to behavior
Source: MicrosoftEdgeUpdate.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MicrosoftEdgeUpdate.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: MicrosoftEdgeUpdate.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\Taskmgr.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root PartitionSm
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ZHyper-V Remote Desktop Virtualization Service~
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisorr
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processori.0
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor-
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll&
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorU
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root PartitionZ1
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V Heartbeat ServiceM
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service:
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BHyper-V PowerShell Direct ServiceV[
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V lsrhhigeeveinyg Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <Hyper-V Guest Shutdown Service
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service|w
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Volume Shadow Copy Requestorost.exeIxx
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor-
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorman
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid PartitionRY\USu
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Time Synchronization Service
Source: Taskmgr.exe, 0000000E.00000002.2398991255.000002556388D000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.0000025563851000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V lsrhhigeeveinyg BusvDE
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partitionh2
Source: Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes>
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorS1
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdown0
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration ServiceO
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432230 Sample: MicrosoftEdgeUpdate.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 22 4 Taskmgr.exe 2 13 2->4         started        7 MicrosoftEdgeUpdate.exe 2->7         started        9 Taskmgr.exe 2->9         started        signatures3 11 Monitors registry run keys for changes 4->11
No contacted IP infos