hxxp://trk[.]hstalks[.]com/?xtl=1f7zo6z1zd41xgger1xrx1pu7su6g2ojh15a788f1en20x4rhyjx8p970nzdu91xvg5i1ptzi2ukcajacldhkd3ez6764n0k6w1lrbn3j4ulky1hlab0nwlu7wdvm9dsxxsqipbu&eih=mcexojmfvngeosda3ii0f74lwvg1ti2b&__stmp=sax68g

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://trk.hstalks.com/?xtl=1f7zo6z1zd41xgger1xrx1pu7su6g2ojh15a788f1en20x4rhyjx8p970nzdu91xvg5i1ptzi2ukcajacldhkd3ez6764n0k6w1lrbn3j4ulky1hlab0nwlu7wdvm9dsxxsqipbu&eih=mcexojmfvngeosda3ii0f74lwvg1ti2b&__stmp=sax68g

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
2952	msedge.exe
2952	msedge.exe
744	identity_helper.exe
744	identity_helper.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2860	2952	msedge.exe	87
PID 2952 wrote to memory of 2860	2952	msedge.exe	87
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 2316	2952	msedge.exe	88
PID 2952 wrote to memory of 3748	2952	msedge.exe	89
PID 2952 wrote to memory of 3748	2952	msedge.exe	89
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90
PID 2952 wrote to memory of 4012	2952	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trk.hstalks.com/?xtl=1f7zo6z1zd41xgger1xrx1pu7su6g2ojh15a788f1en20x4rhyjx8p970nzdu91xvg5i1ptzi2ukcajacldhkd3ez6764n0k6w1lrbn3j4ulky1hlab0nwlu7wdvm9dsxxsqipbu&eih=mcexojmfvngeosda3ii0f74lwvg1ti2b&__stmp=sax68g
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffd4046f8,0x7ffffd404708,0x7ffffd404718
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13464817207224541976,1655299880056676936,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4844 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
5d0c1d2c02b98dadaa8f042f912e82da

SHA1
107aa0f379fc1752525f188f60dc359cbeb794b1

SHA256
4ea367551ee246b12b23a1e1fb097101f092e7ff6febcf04fbf8dd0dfcf09241

SHA512
23493c5fba37e98dd344e3d491483d5ac39c1352a35b5e36595216ce28f126822819d9373be0e642e2eba18ba8410835767b9be3f127cd99a4a0737050d2f440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
259B

MD5
dbcb7c181ccce93548b3b3d87d491506

SHA1
9437b8b1a5f534e2e7627303dac0262cd646d86d

SHA256
df0c7a30018c40be13c2a92c046268789da35d40741d282087f38010144dcda0

SHA512
9d0d7c68e8949a64782dc0f758378aa9449f99ae24420ff0c1ea895f520f0a09b4633d4cbd3d2abaaab3fe6478498b7559b9e65dd54b1406a6995e63ab8d0eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b53412c04a1d3dcb48a3137a7d4c5948

SHA1
848c4dc5330a2c25e4d901acb5c03b54fc1d0588

SHA256
c0039484706aacd138945e5d5a842ead1a855fc581e9cda07b6f0c562768c68a

SHA512
e8798cae1a1973b9a6f5d1f7e7bd961b8227f3a8896c73e102240b41049ec5b69c459387f1d0bfc22121b35e8cb18e6d84903bbbaa6433c040394fa805b0f200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b157830c-58bf-47bd-923f-fba6efcd2920.tmp

Filesize
6KB

MD5
bd063fbac3ffa888e3a7d8e98a8dc81e

SHA1
e5fe0725db41b69c1588ab368cbf0ea5523aae2b

SHA256
4068f3f6272eddd2f3bb488b850e3c26d97bfd0905cc0a7abdadfe6a2029f7e9

SHA512
c47e6767cc46a47d6947b9196aff6172f9ea487d40614c3b6ba1f0530082446cafde1209c8af6b562d747e351d7903f1a5448508d027031751d28dc6583f8f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72beaa6bd03dd26e06f7e963ff7bf2d9

SHA1
e42ac62b556aba9deabeadc030ebfc2b94a96797

SHA256
9c9e9ed974816f7b831cfdd6cb85967af6e8efe2f608490c5662eb34ea9c0394

SHA512
3bfe94f6d66edf5dfe13da5c07ce35d86c9a35b233fe75c475c1c5df409c855b2eeffce0de61cfe8b1fe1df11a60138b589d91f45108c79827613c5c2cf3768c

Download Submit