Edit tour

Windows Analysis Report
MicrosoftEdgeUpdate.exe

Overview

General Information

Sample name:	MicrosoftEdgeUpdate.exe
Analysis ID:	1432230
MD5:	b55ad19c6c110e9bf985bc8674f7bcb3
SHA1:	accd3e9360bb920985f1a42ee00eda43cf6405e9
SHA256:	9991ba022173f283ee99068b708f60ac5143fe0c81c9e3673cc7835b108a4f44
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Monitors registry run keys for changes

Contains capabilities to detect virtual machines

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

MicrosoftEdgeUpdate.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe" MD5: B55AD19C6C110E9BF985BC8674F7BCB3)

Taskmgr.exe (PID: 6856 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

Taskmgr.exe (PID: 6880 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: MicrosoftEdgeUpdate.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MicrosoftEdgeUpdate.exe

Static PE information: certificate valid

Source: MicrosoftEdgeUpdate.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025564053000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.VMq
Source: Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.fMa

Source: MicrosoftEdgeUpdate.exe, 00000000.00000000.1115168180.0000000000BEB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe
Source: MicrosoftEdgeUpdate.exe	Binary or memory string: OriginalFilenamemsedgeupdate.dllL vs MicrosoftEdgeUpdate.exe

Source: MicrosoftEdgeUpdate.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus22.winEXE@3/1@0/0

Source: C:\Windows\System32\Taskmgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b

Source: MicrosoftEdgeUpdate.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe "C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4

Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: MicrosoftEdgeUpdate.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftEdgeUpdate.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MicrosoftEdgeUpdate.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: MicrosoftEdgeUpdate.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe

Boot Survival

Monitors registry run keys for changes

Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root PartitionSm
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZHyper-V Remote Desktop Virtualization Service~
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisorr
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processori.0
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor-
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll&
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorU
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root PartitionZ1
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V Heartbeat ServiceM
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service:
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BHyper-V PowerShell Direct ServiceV[
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V lsrhhigeeveinyg Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Hyper-V Guest Shutdown Service
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service\|w
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Volume Shadow Copy Requestorost.exeIxx
Source: Taskmgr.exe, 0000000E.00000002.2398991255.0000025563909000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor-
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorman
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid PartitionRY\USu
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000E.00000002.2398071826.00000255633B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Time Synchronization Service
Source: Taskmgr.exe, 0000000E.00000002.2398991255.000002556388D000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679666253.0000025563851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V lsrhhigeeveinyg BusvDE
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitionh2
Source: Taskmgr.exe, 0000000E.00000003.1679666253.00000255638F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes>
Source: Taskmgr.exe, 0000000E.00000003.1677677269.0000025563EF0000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000002.2400783386.0000025563EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorS1
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown0
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000000E.00000002.2400783386.0000025563CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceO

Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MicrosoftEdgeUpdate.exe	0%	ReversingLabs
MicrosoftEdgeUpdate.exe	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://go.microsoft.c	0%	URL Reputation	safe
http://go.microsoft.fMa	0%	Avira URL Cloud	safe
http://go.microsoft.VMq	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.VMq	Taskmgr.exe, 0000000E.00000002.2400783386.0000025564053000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsoft.fMa	Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000E.00000003.1679590377.0000025564086000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsoft.c	Taskmgr.exe, 0000000E.00000003.1679030829.0000025564076000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432230
Start date and time:	2024-04-26 17:58:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MicrosoftEdgeUpdate.exe
Detection:	SUS
Classification:	sus22.winEXE@3/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Joe Sandbox View / Context

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Download File

Process:	C:\Windows\System32\Taskmgr.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:R:R
MD5:	F49655F856ACB8884CC0ACE29216F511
SHA1:	CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
SHA-256:	7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
SHA-512:	599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	EERF

Instruction
call 00007FCF98DD87E4h
jmp 00007FCF98DD829Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCF98DD847Dh
mov dword ptr [esi], 004011A0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004011A8h
mov dword ptr [ecx], 004011A0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCF98DD844Ah
mov dword ptr [esi], 004011BCh
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00406CF0h
mov dword ptr [ecx], 004011BCh
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00401180h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FCF98DDA918h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00401180h
push eax
call 00007FCF98DDA963h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00401180h
push eax
call 00007FCF98DDA94Ch
test byte ptr [ebp+08h], 00000001h
pop ecx

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b14c	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x16e28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x31e00	0x2390
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x33000	0x1424	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7360	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x148	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18c54	0x60	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17d30	0x17e00	77a35302b4580ceee7887439ffb49b3d	False	0.544533295157068	Matlab v4 mat-file (little endian) \362\261@, numeric, rows 4239866, columns 0	6.369385160936053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x1698	0xc00	8ad34fc450cd53392da6aef74183623d	False	0.17317708333333334	data	2.5592783937349814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1b000	0x8a8	0xa00	6f48dd51bc82fab0e64b2cfb9e0f65d2	False	0.4140625	data	5.010048730343197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x16e28	0x17000	c3b0a8348e9d36da10e0c2654d125112	False	0.07218070652173914	data	3.911456773273991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x33000	0x1424	0x1600	e7320ccdad6a0e7d738c6de378acb90e	False	0.7098721590909091	data	6.343567303456645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d010	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.6317567567567568
RT_ICON	0x1d138	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.5823699421965318
RT_ICON	0x1d6a0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.5120967741935484
RT_ICON	0x1d988	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5455776173285198
RT_ICON	0x1e230	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.36341463414634145
RT_ICON	0x1e898	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42350746268656714
RT_GROUP_ICON	0x1f740	0x5a	data	English	United States	0.7333333333333333
RT_VERSION	0x32a88	0x3a0	data			0.41163793103448276
RT_VERSION	0x1fb30	0x390	data	Arabic	Saudi Arabia	0.40899122807017546
RT_VERSION	0x1fec0	0x390	data	Bulgarian	Bulgaria	0.41118421052631576
RT_VERSION	0x205e0	0x390	data	Catalan	Spain	0.4100877192982456
RT_VERSION	0x2b498	0x394	OpenPGP Secret Key	Chinese	Taiwan	0.4170305676855895
RT_VERSION	0x20970	0x390	data	Czech	Czech Republic	0.4100877192982456
RT_VERSION	0x20d00	0x390	data	Danish	Denmark	0.40899122807017546
RT_VERSION	0x21090	0x390	data	German	Germany	0.40899122807017546
RT_VERSION	0x21420	0x390	data	Greek	Greece	0.40899122807017546
RT_VERSION	0x217b0	0x390	data	English	United States	0.40899122807017546
RT_VERSION	0x22d20	0x390	data	Finnish	Finland	0.4100877192982456
RT_VERSION	0x23440	0x390	data	French	France	0.4100877192982456
RT_VERSION	0x250c0	0x390	data	Hebrew	Israel	0.4100877192982456
RT_VERSION	0x24280	0x390	data	Hungarian	Hungary	0.4100877192982456
RT_VERSION	0x249a0	0x390	data	Icelandic	Iceland	0.4100877192982456
RT_VERSION	0x24d30	0x390	data	Italian	Italy	0.4100877192982456
RT_VERSION	0x25450	0x390	data	Japanese	Japan	0.4100877192982456
RT_VERSION	0x25b70	0x390	data	Korean	North Korea	0.4100877192982456
RT_VERSION	0x25b70	0x390	data	Korean	South Korea	0.4100877192982456
RT_VERSION	0x27460	0x390	data	Dutch	Netherlands	0.40899122807017546
RT_VERSION	0x270d0	0x390	data	Norwegian	Norway	0.4100877192982456
RT_VERSION	0x277f0	0x390	data	Polish	Poland	0.40899122807017546
RT_VERSION	0x27b80	0x394	OpenPGP Secret Key	Portuguese	Brazil	0.41593886462882096
RT_VERSION	0x282b0	0x390	data	Romanian	Romania	0.40899122807017546
RT_VERSION	0x28640	0x390	data	Russian	Russia	0.4100877192982456
RT_VERSION	0x23ef0	0x390	data	Croatian	Croatia	0.4100877192982456
RT_VERSION	0x289d0	0x390	data	Slovak	Slovakia	0.4100877192982456
RT_VERSION	0x314f8	0x390	data	Albanian	Albania	0.4100877192982456
RT_VERSION	0x29480	0x390	data	Swedish	Sweden	0.4100877192982456
RT_VERSION	0x29f30	0x390	data	Thai	Thailand	0.4100877192982456
RT_VERSION	0x2a2c0	0x390	data	Turkish	Turkey	0.40899122807017546
RT_VERSION	0x2a9e0	0x390	data	Urdu	Pakistan	0.4100877192982456
RT_VERSION	0x2a9e0	0x390	data	Urdu	India	0.4100877192982456
RT_VERSION	0x24610	0x390	data	Indonesian	Indonesia	0.4100877192982456
RT_VERSION	0x2a650	0x390	data	Ukrainian	Ukrain	0.4100877192982456
RT_VERSION	0x28d60	0x390	data	Slovenian	Slovenia	0.40789473684210525
RT_VERSION	0x22600	0x390	data	Estonian	Estonia	0.4100877192982456
RT_VERSION	0x26290	0x390	data	Latvian	Lativa	0.4100877192982456
RT_VERSION	0x25f00	0x390	data	Lithuanian	Lithuania	0.4100877192982456
RT_VERSION	0x22990	0x390	data	Farsi	Iran	0.4100877192982456
RT_VERSION	0x22990	0x390	data	Farsi	Afganistan	0.4100877192982456
RT_VERSION	0x22990	0x390	data	Farsi	Tajikistan	0.4100877192982456
RT_VERSION	0x22990	0x390	data	Farsi	Uzbekistan	0.4100877192982456
RT_VERSION	0x2ad70	0x390	data	Vietnamese	Vietnam	0.4100877192982456
RT_VERSION	0x2bf50	0x390	data	Azeri	Italy	0.40899122807017546
RT_VERSION	0x2d140	0x390	data	Basque	France	0.40899122807017546
RT_VERSION	0x2d140	0x390	data	Basque	Spain	0.40899122807017546
RT_VERSION	0x2fc08	0x390	data	FYRO Macedonia	Macedonia	0.41118421052631576
RT_VERSION	0x2b830	0x390	data	Afrikaans	South Africa	0.4100877192982456
RT_VERSION	0x2b830	0x390	data	Afrikaans	Namibia	0.4100877192982456
RT_VERSION	0x2e318	0x390	data	Georgian	Georgia	0.4100877192982456
RT_VERSION	0x23b60	0x390	data	Hindi	India	0.4100877192982456
RT_VERSION	0x2ff98	0x390	data	Maltese	Malta	0.4100877192982456
RT_VERSION	0x26d40	0x390	data	Malay	Malaysia	0.40899122807017546
RT_VERSION	0x2e6a8	0x390	data	Kazakh	Kazakhstan	0.4100877192982456
RT_VERSION	0x32368	0x390	data	Tatar	Russia	0.4100877192982456
RT_VERSION	0x2c2e0	0x394	OpenPGP Secret Key	Bengali	India	0.4148471615720524
RT_VERSION	0x30dd8	0x390	data	Punjabi	Pakistan	0.40899122807017546
RT_VERSION	0x30dd8	0x390	data	Punjabi	India	0.40899122807017546
RT_VERSION	0x237d0	0x390	data	Gujarati	India	0.40899122807017546
RT_VERSION	0x30a48	0x390	data	Oriya	India	0.40899122807017546
RT_VERSION	0x29810	0x390	data	Tamil	India	0.4100877192982456
RT_VERSION	0x29810	0x390	data	Tamil	Sri Lanka	0.4100877192982456
RT_VERSION	0x29ba0	0x390	data	Telugu	India	0.40899122807017546
RT_VERSION	0x257e0	0x390	data	Kannada	Kanada	0.4100877192982456
RT_VERSION	0x26620	0x390	data	Malayalam	India	0.40899122807017546
RT_VERSION	0x2bbc0	0x390	data	Assamese	India	0.40899122807017546
RT_VERSION	0x269b0	0x390	data	Marathi	India	0.4100877192982456
RT_VERSION	0x2cdb0	0x390	data	Welsh	England	0.4100877192982456
RT_VERSION	0x2ea38	0x390	data	Khmer	Vietnam	0.4100877192982456
RT_VERSION	0x2ea38	0x390	data	Khmer	Thailand	0.4100877192982456
RT_VERSION	0x2f4e8	0x390	data	Lao	Laos	0.4100877192982456
RT_VERSION	0x2df88	0x390	data	Galician	Italy	0.40899122807017546
RT_VERSION	0x2edc8	0x390	data	Konkani	India	0.40899122807017546
RT_VERSION	0x1f7a0	0x390	data	Amharic	Ethiopia	0.40899122807017546
RT_VERSION	0x30328	0x390	data	Nepali	Nepal	0.40899122807017546
RT_VERSION	0x230b0	0x390	data	Filipino	Philippines	0.4067982456140351
RT_VERSION	0x2f158	0x390	data			0.4100877192982456
RT_VERSION	0x326f8	0x390	data			0.4100877192982456
RT_VERSION	0x2f878	0x390	data	Maori	New Zealand	0.4100877192982456
RT_VERSION	0x2dbf8	0x390	data			0.40899122807017546
RT_VERSION	0x2ca08	0x3a8	data			0.41773504273504275
RT_VERSION	0x2b100	0x394	OpenPGP Secret Key	Chinese	China	0.41593886462882096
RT_VERSION	0x21b40	0x394	OpenPGP Secret Key	English	Great Britain	0.41593886462882096
RT_VERSION	0x22268	0x398	OpenPGP Public Key	Spanish	Mexico	0.4152173913043478
RT_VERSION	0x306b8	0x390	data	Norwegian	Norway	0.40899122807017546
RT_VERSION	0x27f18	0x394	OpenPGP Secret Key	Portuguese	Portugal	0.4148471615720524
RT_VERSION	0x290f0	0x390	data	Serbian	Italy	0.4100877192982456
RT_VERSION	0x2d868	0x390	data	Gaelic	Ireland	0.40899122807017546
RT_VERSION	0x20250	0x390	data	Bengali	Bangladesh	0.4100877192982456
RT_VERSION	0x21ed8	0x390	data			0.40899122807017546
RT_VERSION	0x2d4d0	0x394	OpenPGP Secret Key	French	Canada	0.41593886462882096
RT_VERSION	0x31168	0x390	data			0.40789473684210525
RT_VERSION	0x2c678	0x390	data	Bosnian	Bosnian	0.4100877192982456
RT_VERSION	0x31888	0x3a0	data			0.41379310344827586
RT_VERSION	0x31fc8	0x3a0	data			0.41163793103448276
RT_VERSION	0x31c28	0x3a0	data			0.41379310344827586
RT_MANIFEST	0x1ca30	0x5e0	XML 1.0 document, ASCII text	English	United States	0.425531914893617

DLL	Import
KERNEL32.dll	GetModuleFileNameW, GetLastError, CloseHandle, GetProcAddress, CreateProcessW, FreeLibrary, GetTempFileNameW, LoadLibraryExW, GetCommandLineW, GetModuleHandleW, WriteConsoleW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateDirectoryW, CreateFileW, DeleteFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFileInformationByHandle, RemoveDirectoryW, SetFilePointerEx, AreFileApisANSI, SetLastError, CopyFileW, MultiByteToWideChar, WideCharToMultiByte, FormatMessageW, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCPInfo, HeapAlloc, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DecodePointer
ole32.dll	CoTaskMemFree

GetModuleFileNameW, GetLastError, CloseHandle, GetProcAddress, CreateProcessW, FreeLibrary, GetTempFileNameW, LoadLibraryExW, GetCommandLineW, GetModuleHandleW, WriteConsoleW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateDirectoryW, CreateFileW, DeleteFileW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFileInformationByHandle, RemoveDirectoryW, SetFilePointerEx, AreFileApisANSI, SetLastError, CopyFileW, MultiByteToWideChar, WideCharToMultiByte, FormatMessageW, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCPInfo, HeapAlloc, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DecodePointer

ole32.dll

CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Arabic	Saudi Arabia
Bulgarian	Bulgaria
Catalan	Spain
Chinese	Taiwan
Czech	Czech Republic
Danish	Denmark
German	Germany
Greek	Greece
Finnish	Finland
French	France
Hebrew	Israel
Hungarian	Hungary
Icelandic	Iceland
Italian	Italy
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Norwegian	Norway
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Croatian	Croatia
Slovak	Slovakia
Albanian	Albania
Swedish	Sweden
Thai	Thailand
Turkish	Turkey
Urdu	Pakistan
Urdu	India
Indonesian	Indonesia
Ukrainian	Ukrain
Slovenian	Slovenia
Estonian	Estonia
Latvian	Lativa
Lithuanian	Lithuania
Farsi	Iran
Farsi	Afganistan
Farsi	Tajikistan
Farsi	Uzbekistan
Vietnamese	Vietnam
FYRO Macedonia	Macedonia
Afrikaans	South Africa
Afrikaans	Namibia
Georgian	Georgia
Maltese	Malta
Malay	Malaysia
Kazakh	Kazakhstan
Tamil	Sri Lanka
Kannada	Kanada
Welsh	England
Lao	Laos
Amharic	Ethiopia
Nepali	Nepal
Filipino	Philippines
Maori	New Zealand
Chinese	China
English	Great Britain
Spanish	Mexico
Portuguese	Portugal
Gaelic	Ireland
Bengali	Bangladesh
French	Canada
Bosnian	Bosnian

Target ID:	0
Start time:	17:59:13
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MicrosoftEdgeUpdate.exe"
Imagebase:	0xbd0000
File size:	213'392 bytes
MD5 hash:	B55AD19C6C110E9BF985BC8674F7BCB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:00:08
Start date:	26/04/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:00:09
Start date:	26/04/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.63090116178004
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MicrosoftEdgeUpdate.exe
File size:	213'392 bytes
MD5:	b55ad19c6c110e9bf985bc8674f7bcb3
SHA1:	accd3e9360bb920985f1a42ee00eda43cf6405e9
SHA256:	9991ba022173f283ee99068b708f60ac5143fe0c81c9e3673cc7835b108a4f44
SHA512:	516634fe7f8632bc4ec640978199ff6eb807c23bdfa70e110cec5c4d1aa781e16688f9eaa058853a8017db14be6c8f29a281582c8eeeec563750dfac0359fb60
SSDEEP:	3072:/WWG4aT9L5WeEfp8+Oqwbzs7VpRXW/wTJT0+o4yvRb3u0I3yz8B+Cu3FWgC1RxTW:wtoO9ipW4640u0I3yoB+iRMhI5Q
TLSH:	D4246E1277F84A69F8F36E3058349F2A9A3FBC329D35EA2D1684219D1D34A51CD21B37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{e.W...W...W....r..]....r.......r..E...Vw..F...Vw..F...Vw..e....r..V....r..R...W...#....w..U....w..V...W........w..V...RichW..

Entrypoint:	0x40b388
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EFBFF33 [Wed Jul 1 03:12:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	30ad68b9dc9737d8c720dd9284051add

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	04/03/2020 19:39:50 03/03/2021 19:39:50
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	0416F02A45804A9A6E2E749C26602031
Thumbprint SHA-1:	640386795F1D21244E7EA6E7A6E69E9C5B0A4F3E
Thumbprint SHA-256:	020D7724BAAD9801C54329473DFCAA290960A3E9460C49C0695B641DD019F65E
Serial:	330000018A073733CF2048893C00000000018A

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MicrosoftEdgeUpdate.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: MicrosoftEdgeUpdate.exePID: 7020, Parent PID: 4380

General

Chronological Activities

Analysis Process: Taskmgr.exePID: 6856, Parent PID: 4380

General

Chronological Activities

Analysis Process: Taskmgr.exePID: 6880, Parent PID: 4380

General

Windows Analysis Report
MicrosoftEdgeUpdate.exe