File name:	C:\Users\admin\AppData\Local\Temp\{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe
Full analysis:	https://app.any.run/tasks/1b0d9ac0-3de5-4ac6-b216-95faf000aff8
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	November 07, 2023, 22:33:26
OS:	Windows 8.1 Professional (build: 9600, 32 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	9B09E682511FD006DE0458875A8C2E84
SHA1:	1ADD3F4D4F038B898004CE5B162B148BBF3DF709
SHA256:	2450A90417EC5205709D79CC2BA5BB0401B49AF95DCF8D6E1786E0D72DA53754
SSDEEP:	49152:EtZFIA1VBxblu2XFTLqjlu9d3Df1WKbRwBbs9DyoV6j9XL9/g41fk3UOT3M1lqWY:E+oVBxBpTLIlu9pr1WKlwBbMDnVU9Lhu

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:10:19 20:55:57+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.31
CodeSize:	108032
InitializedDataSize:	1492480
UninitializedDataSize:	-
EntryPoint:	0x7d20
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.3.181.5
ProductVersionNumber:	1.3.181.5
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Edge Update Setup
FileVersion:	1.3.181.5
InternalName:	Microsoft Edge Update Setup
LegalCopyright:	Copyright Microsoft Corporation
OriginalFileName:	MicrosoftEdgeUpdateSetup.exe
ProductName:	Microsoft Edge Update
ProductVersion:	1.3.181.5
UpstreamVersion:	1.3.99.0
LanguageId:	en


(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001_CLASSES\Local Settings\MuiCache\2e\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\PersistedPings\{2F09C21C-E0A1-4024-B191-5D56ED0DD7B8}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	write	Name:	StateValue
Value: 3
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001\Software\Microsoft\EdgeUpdate\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	ConsecutiveCheckFailures
Value: 0
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 0
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	DayOfLastRollCall
Value: 5933
(PID) Process:	(3544) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	ping_freshness
Value: {0A5B2725-9FB7-4145-B5E1-5B3CF1759911}

PID	Process	Filename		Type
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\MicrosoftEdgeUpdateOnDemand.exe		executable
		MD5:532D470DA7523ABBB2ADE51CBD6CF1BD	SHA256:611225DCD25B3DAB7D331CE187F3589D83C80EFC543B971D96DD5357363EC827
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\MicrosoftEdgeUpdate.exe		executable
		MD5:11FE091ACE9D03B9ADA6D5A22D12C0D0	SHA256:50F4ED60A507CE9DD1F3F4E7D53053D923CB71594374A25251746A9B2271E4EE
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe		executable
		MD5:7750D94E4719BA69F5F83213444C0015	SHA256:1AB31694FF0B6283FBB6EC062D6EAB9FFB26DF9D6D1BA140CF60A8E7A4CB9FE5
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\MicrosoftEdgeUpdateBroker.exe		executable
		MD5:4FDA82E4E5DB7141350CDDCEF7DB07A4	SHA256:48EFBB4780A6BE7EADC26DCC6D2C2B16DACCE447E53A3E2725AD4B1318A34E68
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\psuser.dll		executable
		MD5:ADC9BAF6F9543CE4D3AA5767DDEED984	SHA256:B2D2A12CE67C87D483EBC6CB118C99CCD06D4C25CB9F6460178521E59BBE0EFB
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\psmachine.dll		executable
		MD5:56C1A9EC314B41CE4BF20AAE41E94078	SHA256:A82DB4F2EC83020B2BA31A96D214D4EE207173A8B4206432C765DEE870120917
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\psmachine_64.dll		executable
		MD5:A1E69165B66D05938AB8FC8232EDC866	SHA256:5B7345DE0B70B8D0CEFD4140ACF428A5B0FFE5A147ADF8A75D981B37FBD81E3A
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\msedgeupdate.dll		executable
		MD5:0BEC55833F356F89B8D9D63727DDC43E	SHA256:B360AFADECB2334BA103D515C506E792CB9AEEA5925A6CF85DBFD786A225FFC3
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\MicrosoftEdgeComRegisterShellARM64.exe		executable
		MD5:9540AD83A08605BA1F52196424CE3067	SHA256:B0B5D9EB6F4B176BDFBE4DA0A060AD1B76C813186FAE3D9A6E1B1DD9EE0D01D1
2232	{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Users\admin\AppData\Local\Temp\EUF9E7.tmp\psmachine_arm64.dll		executable
		MD5:581BC2D275F8B2E23C2C8BEEDA8471AD	SHA256:28F2F1AC5189A07B59110946509B7C61CC7F2935AF96B000278A5C5952C4B7C3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
796	svchost.exe	HEAD	200	23.50.131.74:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700001259&P2=404&P3=2&P4=OnVCCsAU4Tuv6R3rN3%2fltfLMZpzl7FZ9VJT6mxbmJ1ugqgjwpLulZ4iYFFZFqErAv9wJUdwGZ8HmzxgO6Ncwdw%3d%3d	unknown	—	—	unknown
—	—	GET	304	config.edge.skype.com:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.181.5?clientId=s:6B9497E7-8A14-4043-A0AD-B1B6823998F8&appBrandCode_edgeupdate=M100&appChannel_edgeupdate=6&appCohort_edgeupdate=rrf@0.81&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=5929&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=19094400&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.181.5&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=0&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=3&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x86&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=6.3.9600.18778&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=selfupdate&requestIsMachine=true&requestOmahaShellVersion=1.3.175.29&requestOmahaVersion=1.3.181.5	unknown	—	—	—
—	—	GET	200	config.edge.skype.com:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:6B9497E7-8A14-4043-A0AD-B1B6823998F8&appBrandCode_stable=M100&appChannel_stable=4&appCohort_stable=rrf@0.72&appConsentState_stable=393219&appDayOfInstall_stable=5929&appInactivityBadgeApplied_stable=0&appInactivityBadgeCleared_stable=0&appInactivityBadgeDuration_stable=0&appInstallTimeDiffSec_stable=19094400&appIsPinnedSystem_stable=true&appLang_stable=en&appLastLaunchCount_stable=1&appLastLaunchTime_stable=13324769297808631&appLastLaunchTimeJson_stable=2023-03-31t20:48:17.808z&appLastLaunchTimeDaysAgo_stable=221&appUpdateCheckIsUpdateDisabled_stable=false&appUpdatesAllowedForMeteredNetworks_stable=false&appVersion_stable=109.0.1518.115&hwDiskType=0&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=3&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x86&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=6.3.9600.18778&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.175.29&requestOmahaVersion=1.3.177.11	unknown	binary	234 b	—
—	—	POST	200	msedge.api.cdp.microsoft.com:443	https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates	unknown	ini	199 b	—
—	—	POST	200	msedge.api.cdp.microsoft.com:443	https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/1.3.181.5/files?action=GenerateDownloadInfo&foregroundPriority=false	unknown	ini	755 b	—
796	svchost.exe	GET	206	23.50.131.74:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700001259&P2=404&P3=2&P4=OnVCCsAU4Tuv6R3rN3%2fltfLMZpzl7FZ9VJT6mxbmJ1ugqgjwpLulZ4iYFFZFqErAv9wJUdwGZ8HmzxgO6Ncwdw%3d%3d	unknown	executable	6.93 Kb	unknown
796	svchost.exe	GET	206	23.50.131.74:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700001259&P2=404&P3=2&P4=OnVCCsAU4Tuv6R3rN3%2fltfLMZpzl7FZ9VJT6mxbmJ1ugqgjwpLulZ4iYFFZFqErAv9wJUdwGZ8HmzxgO6Ncwdw%3d%3d	unknown	binary	10.4 Kb	unknown
—	—	POST	200	self.events.data.microsoft.com:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—
796	svchost.exe	GET	206	23.50.131.74:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700001259&P2=404&P3=2&P4=OnVCCsAU4Tuv6R3rN3%2fltfLMZpzl7FZ9VJT6mxbmJ1ugqgjwpLulZ4iYFFZFqErAv9wJUdwGZ8HmzxgO6Ncwdw%3d%3d	unknown	binary	10.4 Kb	unknown
796	svchost.exe	GET	206	23.50.131.74:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700001259&P2=404&P3=2&P4=OnVCCsAU4Tuv6R3rN3%2fltfLMZpzl7FZ9VJT6mxbmJ1ugqgjwpLulZ4iYFFZFqErAv9wJUdwGZ8HmzxgO6Ncwdw%3d%3d	unknown	binary	97.9 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3948	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
3948	msedge.exe	224.0.0.251:5353	—	—	—	unknown
3544	MicrosoftEdgeUpdate.exe	23.102.129.60:443	msedge.api.cdp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
796	svchost.exe	23.50.131.74:80	msedge.b.tlu.dl.delivery.mp.microsoft.com	Akamai International B.V.	DE	unknown
2448	MicrosoftEdgeUpdate.exe	104.46.162.226:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	AU	unknown
1628	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1628	MicrosoftEdgeUpdate.exe	104.46.162.226:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	AU	unknown
1952	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1952	MicrosoftEdgeUpdate.exe	20.42.65.84:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

Domain	IP	Reputation
msedge.api.cdp.microsoft.com	23.102.129.60	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	23.50.131.74 23.50.131.72	whitelisted
self.events.data.microsoft.com	104.46.162.226 20.42.65.84	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted

PID	Process	Class	Message
796	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
796	svchost.exe	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

General Info

C:\Users\admin\AppData\Local\Temp\{05CB80D9-4047-4540-8F3E-BEC4C4323911}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe

9B09E682511FD006DE0458875A8C2E84

1ADD3F4D4F038B898004CE5B162B148BBF3DF709

2450A90417EC5205709D79CC2BA5BB0401B49AF95DCF8D6E1786E0D72DA53754

49152:EtZFIA1VBxblu2XFTLqjlu9d3Df1WKbRwBbs9DyoV6j9XL9/g41fk3UOT3M1lqWY:E+oVBxBpTLIlu9pr1WKlwBbMDnVU9Lhu

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Process drops legitimate windows executable

Application launched itself

Checks Windows Trust Settings

Disables SEHOP

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Executes as Windows Service

INFO

Checks supported languages

Creates files in the program directory

Reads the software policy settings

Reads the computer name

Reads Environment values

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings