| File name: | TalonUpdater.exe |
| Full analysis: | https://app.any.run/tasks/17456132-4b58-439e-a9d2-04d363ba41f1 |
| Verdict: | Malicious activity |
| Analysis date: | May 10, 2025, 22:13:21 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 9 sections |
| MD5: | 02EC3DD7B2274C8E29F047D663A1868F |
| SHA1: | C767619D9AB68FC7EE17327EA7523E290ED868DA |
| SHA256: | 522E0AAE9CCE897B5E5F27BC2A3B1BD1531ED0FA056B9EF881D74771021C4C2E |
| SSDEEP: | 98304:oWfyI/6csQEsFMXqVLwQpjI4qKFNTX/Hq+rdbdBqYtjxauh5Qwvz7SR+aXZSVDcG:GWKOva7ssWwCo5AL3ubzhU7MhFiTsYl |
MALICIOUS
The DLL Hijacking
- msedgewebview2.exe (PID: 2836)
SUSPICIOUS
Reads security settings of Internet Explorer
- msedgewebview2.exe (PID: 4712)
Reads the Internet Settings
- msedgewebview2.exe (PID: 4712)
- TalonUpdater.exe (PID: 4012)
Application launched itself
- msedgewebview2.exe (PID: 4712)
Reads settings of System Certificates
- msedgewebview2.exe (PID: 4712)
- TalonUpdater.exe (PID: 4012)
INFO
Creates files or folders in the user directory
- msedgewebview2.exe (PID: 2984)
- msedgewebview2.exe (PID: 4996)
- msedgewebview2.exe (PID: 4712)
Checks supported languages
- msedgewebview2.exe (PID: 2984)
- TalonUpdater.exe (PID: 4012)
- msedgewebview2.exe (PID: 4712)
- msedgewebview2.exe (PID: 3708)
- msedgewebview2.exe (PID: 3324)
- msedgewebview2.exe (PID: 4996)
- msedgewebview2.exe (PID: 2836)
- msedgewebview2.exe (PID: 2484)
Reads the computer name
- msedgewebview2.exe (PID: 4712)
- msedgewebview2.exe (PID: 2836)
- msedgewebview2.exe (PID: 4996)
- TalonUpdater.exe (PID: 4012)
Checks proxy server information
- msedgewebview2.exe (PID: 4712)
- TalonUpdater.exe (PID: 4012)
Create files in a temporary directory
- msedgewebview2.exe (PID: 4712)
Reads the machine GUID from the registry
- msedgewebview2.exe (PID: 4712)
- TalonUpdater.exe (PID: 4012)
Reads the software policy settings
- TalonUpdater.exe (PID: 4012)
- msedgewebview2.exe (PID: 4712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:05:10 18:39:14+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 3909632 |
| InitializedDataSize: | 2090496 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x134cf00 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 0.1.0.0 |
| ProductVersionNumber: | 0.1.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| ProductVersion: | 0.1.0 |
| FileDescription: | Talon |
| FileVersion: | 0.1.0 |
| ProductName: | Talon |
Total processes
109
Monitored processes
9
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2484 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=entity_extraction --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=4332 --field-trial-handle=1876,i,17787023672256482044,6647117859950862155,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 2836 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 --field-trial-handle=1876,i,17787023672256482044,6647117859950862155,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 2984 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\com.talon.dev\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=103.0.5060.134 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=103.0.1264.77 --initial-client-data=0x130,0x134,0x138,0x10c,0x140,0x7ffc83bba0b8,0x7ffc83bba0c8,0x7ffc83bba0d8 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 3324 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1876,i,17787023672256482044,6647117859950862155,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:1 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 3708 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2268 --field-trial-handle=1876,i,17787023672256482044,6647117859950862155,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 4012 | "C:\Users\admin\Desktop\TalonUpdater.exe" | C:\Users\admin\Desktop\TalonUpdater.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Talon Exit code: 0 Version: 0.1.0 Modules
| |||||||||||||||
| 4712 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=4012.5604.672826608199314817 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | TalonUpdater.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 4996 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.talon.dev\EBWebView" --webview-exe-name=TalonUpdater.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1988 --field-trial-handle=1876,i,17787023672256482044,6647117859950862155,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:3 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe | msedgewebview2.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge WebView2 Exit code: 0 Version: 103.0.1264.77 Modules
| |||||||||||||||
| 5016 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | TalonUpdater.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 656
Read events
7 628
Write events
25
Delete events
3
Modification events
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView |
| Operation: | write | Name: | UsageStatsInSample |
Value: 1 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} |
| Operation: | write | Name: | urlstats |
Value: 0 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\PreferenceMACs\Default |
| Operation: | delete value | Name: | extensions.settings |
Value: | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\PreferenceMACs\Default\extensions.settings |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (4712) msedgewebview2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeWebView\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
Executable files
0
Suspicious files
82
Text files
30
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Crashpad\throttle_store.dat | text | |
MD5:9E4E94633B73F4A7680240A0FFD6CD2C | SHA256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304 | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\Code Cache\wasm\index | binary | |
MD5:54CB446F628B2EA4A5BCE5769910512E | SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\dcee0d16-f672-4e54-ab56-296f97f92aa4.tmp | binary | |
MD5:D2AF3F564646746100C6400040295F3A | SHA256:5DB88B15DF6D94984C99886FC51871DC92C941BD43F929CE8DDA46E6684D916B | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\README | text | |
MD5:643E00B0186AA80523F8A6BED550A925 | SHA256:A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87 | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\History-journal | — | |
MD5:— | SHA256:— | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Last Version | text | |
MD5:1D354FAA000B9FAEDC85B2F06DB8B927 | SHA256:BC34CC1FC9245A9341C38036E37CDAE4FCFB1893459F0727D308EE3B7C605808 | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\Code Cache\wasm\index-dir\temp-index | binary | |
MD5:3BD4A986669A7093EB3CEB8C457598FB | SHA256:9FB704CA0D7C1B81D319CB64C2D33665A2D0D6E0563A6FA5631674A0FF6F1A80 | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\Code Cache\js\index | binary | |
MD5:54CB446F628B2EA4A5BCE5769910512E | SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\Extension Scripts\000001.dbtmp | text | |
MD5:46295CAC801E5D4857D09837238A6394 | SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 | |||
| 4712 | msedgewebview2.exe | C:\Users\admin\AppData\Local\com.talon.dev\EBWebView\Default\Code Cache\js\index-dir\temp-index | binary | |
MD5:3BD4A986669A7093EB3CEB8C457598FB | SHA256:9FB704CA0D7C1B81D319CB64C2D33665A2D0D6E0563A6FA5631674A0FF6F1A80 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
26
DNS requests
15
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.164.35:80 | http://www.msftconnecttest.com/connecttest.txt | unknown | — | — | whitelisted |
3640 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9a11b5b0e7c76bb | unknown | — | — | whitelisted |
4576 | MoUsoCoreWorker.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f53c5851559991f | unknown | — | — | whitelisted |
— | — | HEAD | 200 | 23.197.142.186:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | — | — | — |
— | — | GET | — | 66.33.60.129:443 | https://files.talon.gay/injector.exe | unknown | — | — | — |
2768 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2efe063e74f19306 | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8295883656f7dad | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?15be5abb986864ed | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c10bf6f6673bef07 | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.17:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 2.16.164.35:80 | — | Akamai International B.V. | NL | unknown |
— | — | 20.190.160.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3640 | svchost.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
4576 | MoUsoCoreWorker.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
3640 | svchost.exe | 20.190.160.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2776 | svchost.exe | 20.189.173.25:443 | v10.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5768 | smartscreen.exe | 20.93.72.182:443 | checkappexec.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4996 | msedgewebview2.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3952 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
v10.events.data.microsoft.com |
| whitelisted |
checkappexec.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
status.talon.gay |
| unknown |
fs.microsoft.com |
| whitelisted |
files.talon.gay |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO Microsoft Connection Test |
— | — | Generic Protocol Command Decode | SURICATA HTTP Request unrecognized authorization method |
Process | Message |
|---|---|
msedgewebview2.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\com.talon.dev directory exists )
|