analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | TurtleWoW.exe |
| Full analysis: | https://app.any.run/tasks/08fbfac2-a4a1-498c-b784-7d59901ddeb5 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 08, 2025 at 05:22:08 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | DF7580175A899AD0CF3017685830D84A |
| SHA1: | AFCFD76A2AAEFE056AFD1247488F1AAF955B0881 |
| SHA256: | 1D4C5A031D148A2687912778BFB4E61080985675747390DB0D76AC931AA60795 |
| SSDEEP: | 98304:9J8CwYGjpz/88WEHioI5t8xNqKOiNsFL2AXmku8A06elwDsmI+U0QQyiUzmZ/epu:9u6nKlU5GfIUwYF1B49g |
MALICIOUS
Executing a file with an untrusted certificate
- TurtleWoW.exe (PID: 5408)
Changes the autorun value in the registry
- MicrosoftEdgeUpdate.exe (PID: 4040)
The DLL Hijacking
- msedgewebview2.exe (PID: 2692)
Scans artifacts that could help determine the target
- msedgewebview2.exe (PID: 5256)
SUSPICIOUS
The process creates files with name similar to system file names
- TurtleWoW.exe (PID: 5408)
Malware-specific behavior (creating "System.dll" in Temp)
- TurtleWoW.exe (PID: 5408)
There is functionality for taking screenshot (YARA)
- TurtleWoW.exe (PID: 5408)
Process requests binary or script from the Internet
- TurtleWoW.exe (PID: 5408)
Executable content was dropped or overwritten
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 3268)
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
Process drops legitimate windows executable
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 3268)
Starts a Microsoft application from unusual location
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
- MicrosoftEdgeUpdate.exe (PID: 4040)
Searches for installed software
- TurtleWoW.exe (PID: 5408)
- setup.exe (PID: 3268)
Starts itself from another location
- MicrosoftEdgeUpdate.exe (PID: 4040)
Creates/Modifies COM task schedule object
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7084)
- MicrosoftEdgeUpdate.exe (PID: 5416)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4892)
Reads security settings of Internet Explorer
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- msedgewebview2.exe (PID: 5256)
Application launched itself
- setup.exe (PID: 3268)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- msedgewebview2.exe (PID: 5256)
Creates a software uninstall entry
- setup.exe (PID: 3268)
- TurtleWoW.exe (PID: 5408)
INFO
The sample compiled with english language support
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 3268)
Reads the computer name
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdgeUpdate.exe (PID: 5416)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4892)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7084)
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 6184)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 3268)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- turtle-wow.exe (PID: 1052)
- msedgewebview2.exe (PID: 5256)
- msedgewebview2.exe (PID: 2692)
- msedgewebview2.exe (PID: 4108)
Checks supported languages
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdgeUpdate.exe (PID: 5416)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4892)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7084)
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 6184)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 3268)
- setup.exe (PID: 2596)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- turtle-wow.exe (PID: 1052)
- msedgewebview2.exe (PID: 1748)
- msedgewebview2.exe (PID: 5256)
- msedgewebview2.exe (PID: 2692)
- msedgewebview2.exe (PID: 4108)
- msedgewebview2.exe (PID: 6028)
- msedgewebview2.exe (PID: 6820)
Checks proxy server information
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- msedgewebview2.exe (PID: 5256)
- turtle-wow.exe (PID: 1052)
- slui.exe (PID: 1164)
Create files in a temporary directory
- TurtleWoW.exe (PID: 5408)
- MicrosoftEdgeWebview2Setup.exe (PID: 2236)
- MicrosoftEdgeUpdate.exe (PID: 4040)
- msedgewebview2.exe (PID: 5256)
Creates files or folders in the user directory
- MicrosoftEdgeUpdate.exe (PID: 4040)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdge_X64_135.0.3179.54.exe (PID: 5428)
- setup.exe (PID: 2596)
- setup.exe (PID: 3268)
- TurtleWoW.exe (PID: 5408)
- msedgewebview2.exe (PID: 5256)
- msedgewebview2.exe (PID: 1748)
- msedgewebview2.exe (PID: 4108)
- turtle-wow.exe (PID: 1052)
Reads Environment values
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- turtle-wow.exe (PID: 1052)
- msedgewebview2.exe (PID: 5256)
Process checks computer location settings
- MicrosoftEdgeUpdate.exe (PID: 4040)
- setup.exe (PID: 3268)
- msedgewebview2.exe (PID: 5256)
- msedgewebview2.exe (PID: 6820)
Reads the software policy settings
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- slui.exe (PID: 1164)
Reads the machine GUID from the registry
- MicrosoftEdgeUpdate.exe (PID: 6112)
- MicrosoftEdgeUpdate.exe (PID: 2320)
- MicrosoftEdgeUpdate.exe (PID: 2984)
- msedgewebview2.exe (PID: 5256)
Manual execution by a user
- turtle-wow.exe (PID: 1052)
Reads product name
- turtle-wow.exe (PID: 1052)
Reads CPU info
- msedgewebview2.exe (PID: 5256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:25 21:56:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 141824 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x3640 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.2.0 |
| ProductVersionNumber: | 2.0.2.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| FileDescription: | TurtleWoW |
| FileVersion: | 2.0.2 |
| LegalCopyright: | - |
| ProductName: | TurtleWoW |
| ProductVersion: | 2.0.2 |
Total processes
152
Monitored processes
22
Malicious processes
9
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1052 | "C:\Users\admin\AppData\Local\TurtleWoW\turtle-wow.exe" | C:\Users\admin\AppData\Local\TurtleWoW\turtle-wow.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: TurtleWoW Version: 0.0.0 Modules
| |||||||||||||||
| 1164 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1748 | C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.54\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\turtle-wow\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\turtle-wow\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=135.0.7049.42 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.54\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=135.0.3179.54 --initial-client-data=0x1a0,0x1a4,0x1a8,0x17c,0x1b0,0x7ffc88958240,0x7ffc8895824c,0x7ffc88958258 | C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.54\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge WebView2 Version: 135.0.3179.54 Modules
| |||||||||||||||
| 2236 | C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe /silent /install | C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe | TurtleWoW.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Setup Exit code: 0 Version: 1.3.195.49 Modules
| |||||||||||||||
| 2320 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -Embedding | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.49 Modules
| |||||||||||||||
| 2596 | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\EDGEMITMP_3613A.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=135.0.7049.42 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\EDGEMITMP_3613A.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=135.0.3179.54 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2d4,0x7ff79c09c888,0x7ff79c09c894,0x7ff79c09c8a0 | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\EDGEMITMP_3613A.tmp\setup.exe | — | setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Installer Exit code: 0 Version: 135.0.3179.54 Modules
| |||||||||||||||
| 2692 | "C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.54\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\turtle-wow\EBWebView" --webview-exe-name=turtle-wow.exe --webview-exe-version=0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-pre-read-main-dll --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1896,i,5042347286289215557,5336544209941453863,262144 --enable-features=ForceSWDCompWhenDCompFallbackRequired,msAggressiveCacheTrimming,msCustomDataPartition,msWebView2NoTabForScreenShare,msWindowsTaskManager --disable-features=BackForwardCache,BackgroundTabLoadingFromPerformanceManager,CloseOmniboxPopupOnInactiveAreaClick,CollectAVProductsInfo,CollectCodeIntegrityInfo,EnableHangWatcher,FilterAdsOnAbusiveSites,GetWifiProtocol,LoginDetection,MediaFoundationCameraUsageMonitoring,PreconnectToSearch,SafetyHub,SegmentationPlatform,SpareRendererForSitePerProcess,Ukm,WebPayments,msAITrackerClassification,msAbydosForWindowlessWV2,msAffirmVirtualCard,msAllowChromeWebstore,msAllowMSAPrtSSOForNonMSAProfile,msApplicationGuard,msAskBeforeClosingMultipleTabs,msAutoToggleAADPrtSSOForNonAADProfile,msAutofillEdgeCoupons,msAutofillEdgeCouponsAutoApply,msAutofillEdgeServiceRequest,msAutomaticTabFreeze,msBrowserSettingsSupported,msCoarseGeolocationService,msDataProtection,msDesktopMode,msDesktopRewards,msDisableVariationsSeedFetchThrottling,msEEProactiveHistory,msETFOffstoreExtensionFileDataCollection,msETFPasswordTheftDNRActionSignals,msEdgeAdPlatformUI,msEdgeAddWebCapturetoCollections,msEdgeAutofillAdvancedSuggestionsBasic,msEdgeAutofillOneClickAutocomplete,msEdgeAutofillSaveGSPR100InDb,msEdgeAutofillShowDeployedPassword,msEdgeAutofillSs,msEdgeBrowserEssentialsShowUpdateSection,msEdgeCloudConfigService,msEdgeCloudConfigServiceV2,msEdgeCohorts,msEdgeCollectionsPrismExperiment1,msEdgeCollectionsPrismOverallMigration,msEdgeComposeNext,msEdgeEnableNurturingFramework,msEdgeEnclavePrefsBasic,msEdgeEnclavePrefsNotification,msEdgeFaviconService,msEdgeHJTelemetry,msEdgeHubAppSkype,msEdgeImageEditorUI,msEdgeLinkDoctor,msEdgeMouseGestureDefaultEnabled,msEdgeMouseGestureSupported,msEdgeNewDeviceFre,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgePDFCMHighlightUX,msEdgePasswordIris,msEdgePasswordIrisSaveBubble,msEdgeProngPersonalization,msEdgeReadingView,msEdgeRose,msEdgeSendTabToSelf,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingPersistentStorage,msEdgeShoppingUI,msEdgeSmartFind,msEdgeSuperDragDefaultEnabled,msEdgeSuperDragDropSupported,msEdgeTipping,msEdgeTranslate,msEdgeUseCaptivePortalService,msEdgeWebContentFilteringFeedback,msEdgeWorkSearchBanner,msEnableCustomJobMemoryLimitsOnXbox,msEnableMIPForPDF,msEnablePdfUpsell,msEnableThirdPartyScanning,msEnableWebSignInCta,msEnableWebToBrowserSignIn,msEndpointDlp,msEntityExtraction,msExtensionTelemetryFramework,msExternalTaskManager,msFileSystemAccessDirectoryIterationBlocklistCheck,msForceBrowserSignIn,msForeignSessionsPage,msGeolocationAccessService,msGeolocationOSLocationPermissionFallback,msGeolocationSQMService,msGeolocationService,msGrowthInfraLaunchSourceLogging,msGuidedSwitchAllowed,msHubPinPersist,msImplicitSignin,msIrm,msIrmv2,msKlarnaVirtualCard,msLoadStatistics,msLogIsEdgePinnedToTaskbarOnLaunch,msMIPCrossTenantPdfViewSupport,msMdatpWebSiteDlp,msNotificationPermissionForPWA,msOnHoverSearchInSidebar,msOpenOfficeDocumentsInWebViewer,msPasswordBreachDetection,msPdfAnnotationsVisibility,msPdfDataRecovery,msPdfDigitalSignatureRead,msPdfFreeText,msPdfFreeTextForCJK,msPdfHighlightMode,msPdfInking,msPdfKeyphraseSupport,msPdfOOUI,msPdfPopupMarkerRenderer,msPdfShare,msPdfSharedLibrary,msPdfTextNote,msPdfTextNoteMoreMenu,msPdfThumbnailCache,msPdfUnderside,msPdfViewRestore,msPersonalizationUMA,msPriceComparison,msPromptDefaultHandlerForPDF,msReactiveSearch,msReadAloud,msReadAloudPdf,msRedirectToShoreline,msRevokeExtensions,msSaasDlp,msShoppingTrigger,msShorelineSearch,msShorelineSearchFindOnPageWebUI,msShowOfflineGameEntrance,msShowReadAloudIconInAddressBar,msShowUXForAADPrtSSOForNonAADProfile,msSmartScreenProtection,msSuspendMessageForNewSessionWhenHavingPendingNavigation,msSyncEdgeCollections,msTabResourceStats,msTokenizationAutofillInlineEnabled,msTouchMode,msTriggeringSignalGenerator,msUserUnderstanding,msVideoSuperResolutionUI,msWalletBuyNow,msWalletCheckout,msWalletDiagnosticDataLogger,msWalletHubEntry,msWalletHubIntlP3,msWalletPartialCard,msWalletPasswordCategorization,msWalletPasswordCategorizationPlatformExpansion,msWalletTokenizationCardMetadata,msWalletTokenizedAutofill,msWebAssist,msWebAssistHistorySearchService,msWebOOUI,msWindowsUserActivities,msZipPayVirtualCard --variations-seed-version --mojo-platform-channel-handle=1888 /prefetch:2 | C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.54\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Version: 135.0.3179.54 Modules
| |||||||||||||||
| 2984 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MzI4QTAyM0UtODVCQy00QjFGLUE1NDMtQzM3RTU1NkJFQUEzfSIgdXNlcmlkPSJ7OENBODZDQ0MtMDAzNS00OTJCLUEzN0QtMTkxMDgwMjE3QkUxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswRTk3MjJBRC05MkQwLTQwMkItQTYzMC1GNUQ4MkMyRTEyREZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzUuMC4zMTc5LjU0IiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk4NjM4MjE4OTAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5ODYzOTc4NzU5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAyODEwMDkwODkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzJkMzJmZTcwLWEzMjAtNDQ2NS1hMWFkLTVmMjAxOTdmN2Y5YT9QMT0xNzQ0Njk0NTU3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU5tdjlIUkNzOEdMcUVoZFZTOFdMbVdKZHpCWHNrMmV0cGJLclB4alRMRmIzUmNoayUyZjJaNnhKdFpvN3lTbGlFN24xNnpVV21NSHo1b2FCUG0wTVpDJTJiUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MjM1NjE1MiIgdG90YWw9IjE3MjM1NjE1MiIgZG93bmxvYWRfdGltZV9tcz0iMzcxMjUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDI4MTMyMjU5NSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMzAxMTY2NDIyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDczMjQxNTUxNiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjE3OTciIGRvd25sb2FkX3RpbWVfbXM9IjQxNzM0IiBkb3dubG9hZGVkPSIxNzIzNTYxNTIiIHRvdGFsPSIxNzIzNTYxNTIiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQzMTA5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.49 Modules
| |||||||||||||||
| 3268 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\EDGEMITMP_3613A.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\MicrosoftEdge_X64_135.0.3179.54.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-level | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{EDC5A982-DF75-4750-90C7-B552884A4E91}\EDGEMITMP_3613A.tmp\setup.exe | MicrosoftEdge_X64_135.0.3179.54.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Installer Exit code: 0 Version: 135.0.3179.54 Modules
| |||||||||||||||
| 4040 | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\MicrosoftEdgeUpdate.exe | MicrosoftEdgeWebview2Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.49 Modules
| |||||||||||||||
Total events
22 287
Read events
19 605
Write events
2 614
Delete events
68
Modification events
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate |
| Operation: | delete value | Name: | eulaaccepted |
Value: | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate |
| Operation: | write | Name: | path |
Value: C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate |
| Operation: | write | Name: | UninstallCmdLine |
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A} |
| Operation: | write | Name: | pv |
Value: 1.3.195.49 | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A} |
| Operation: | write | Name: | name |
Value: Microsoft Edge Update | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A} |
| Operation: | write | Name: | pv |
Value: 1.3.195.49 | |||
| (PID) Process: | (4040) MicrosoftEdgeUpdate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Microsoft Edge Update |
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.49\MicrosoftEdgeUpdateCore.exe" | |||
| (PID) Process: | (6644) MicrosoftEdgeUpdateComRegisterShell64.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (6644) MicrosoftEdgeUpdateComRegisterShell64.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{5EA43877-C6D8-4885-B77A-C0BB27E94372}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (6644) MicrosoftEdgeUpdateComRegisterShell64.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{F6575EAC-C070-4329-8FB9-CB574A353CC3}\InprocHandler32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
Executable files
217
Suspicious files
104
Text files
28
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\LangDLL.dll | executable | |
MD5:68B287F4067BA013E34A1339AFDB1EA8 | SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026 | |||
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\modern-header.bmp | image | |
MD5:FBF838C4D76135D01D4B10511B322D39 | SHA256:61A765C64A64C637FC8F80770695A1F3A1F1C26ADABEC3062F1D81F7836973C8 | |||
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\nsDialogs.dll | executable | |
MD5:6C3F8C94D0727894D706940A8A980543 | SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2 | |||
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\modern-wizard.bmp | image | |
MD5:1185DAD0C68CA4452F6EF8ACC06A69A0 | SHA256:2FB0A86CDC0764297E027EA25DF454827F2D7E5D93CD7B80901892D9234716DB | |||
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\System.dll | executable | |
MD5:CFF85C549D536F651D4FB8387F1976F2 | SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8 | |||
| 5408 | TurtleWoW.exe | C:\Users\admin\AppData\Local\Temp\nsyCAD6.tmp\NSISdl.dll | executable | |
MD5:EE68463FED225C5C98D800BDBD205598 | SHA256:419485A096BC7D95F872ED1B9B7B5C537231183D710363BEEE4D235BB79DBE04 | |||
| 2236 | MicrosoftEdgeWebview2Setup.exe | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\MicrosoftEdgeUpdate.exe | executable | |
MD5:BBD650A482ED31B5FD9B1C1636A08EA1 | SHA256:09720A953DF65CCAEA888D6D74C26520F0E06A3A43B5A219A69B64136B01C88D | |||
| 2236 | MicrosoftEdgeWebview2Setup.exe | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\msedgeupdate.dll | executable | |
MD5:34366289614548C60837E31DA6477A6E | SHA256:6EE3E95AA78DBD5B3F469F670072574AFA16EA00EE2A7077472BF0405F572635 | |||
| 2236 | MicrosoftEdgeWebview2Setup.exe | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\MicrosoftEdgeUpdateBroker.exe | executable | |
MD5:3183363DEE370C1ADB75B36D381C37DB | SHA256:A7DFC2A3833234D4378D5E5FF9F856BCFD5877FC769A11B17E738CF77D8000FD | |||
| 2236 | MicrosoftEdgeWebview2Setup.exe | C:\Users\admin\AppData\Local\Temp\EUF9B4.tmp\MicrosoftEdgeUpdateOnDemand.exe | executable | |
MD5:23E508DF04911742E9051987A1FDDB99 | SHA256:AB15809C86CF0E792F141732064BFAF24A2B8786F2A52A7C22D9D59855E5AC8A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
61
DNS requests
25
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6456 | RUXIMICS.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5548 | svchost.exe | HEAD | 200 | 199.232.214.172:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2d32fe70-a320-4465-a1ad-5f20197f7f9a?P1=1744694557&P2=404&P3=2&P4=Nmv9HRCs8GLqEhdVS8WLmWJdzBXsk2etpbKrPxjTLFb3Rchk%2f2Z6xJtZo7ySliE7n16zUWmMHz5oaBPm0MZC%2bQ%3d%3d | unknown | — | — | whitelisted |
5548 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2d32fe70-a320-4465-a1ad-5f20197f7f9a?P1=1744694557&P2=404&P3=2&P4=Nmv9HRCs8GLqEhdVS8WLmWJdzBXsk2etpbKrPxjTLFb3Rchk%2f2Z6xJtZo7ySliE7n16zUWmMHz5oaBPm0MZC%2bQ%3d%3d | unknown | — | — | whitelisted |
— | — | GET | 304 | 52.149.20.212:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
2040 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2040 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
2040 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
2040 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2040 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2040 | SIHClient.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6456 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6456 | RUXIMICS.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5408 | TurtleWoW.exe | 69.192.162.125:80 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
5408 | TurtleWoW.exe | 23.48.23.48:80 | msedge.sf.dl.delivery.mp.microsoft.com | Akamai International B.V. | DE | whitelisted |
6112 | MicrosoftEdgeUpdate.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2320 | MicrosoftEdgeUpdate.exe | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.sf.dl.delivery.mp.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
msedge.api.cdp.microsoft.com |
| whitelisted |
msedge.f.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net) |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net) |