hxxps://account[.]microsoft[.]com/profile/unsubscribe?CTID=0&ECID=cvdYOoUkAWv*2FKPXCIGKw*2B6RK5TWoz9gPkl6G*2FSFrCgU*3D&K=85a2b03c-36a5-42a4-b107-f35851ec663e&D=638498268114930847&PID=19084&TID=00000000-0000-0000-0000-000000000001&CMID=null

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=cvdYOoUkAWv*2FKPXCIGKw*2B6RK5TWoz9gPkl6G*2FSFrCgU*3D&K=85a2b03c-36a5-42a4-b107-f35851ec663e&D=638498268114930847&PID=19084&TID=00000000-0000-0000-0000-000000000001&CMID=null

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1652	msedge.exe
1652	msedge.exe
1300	msedge.exe
1300	msedge.exe
1788	identity_helper.exe
1788	identity_helper.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 884	1300	msedge.exe	83
PID 1300 wrote to memory of 884	1300	msedge.exe	83
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 3272	1300	msedge.exe	84
PID 1300 wrote to memory of 1652	1300	msedge.exe	85
PID 1300 wrote to memory of 1652	1300	msedge.exe	85
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86
PID 1300 wrote to memory of 3252	1300	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=cvdYOoUkAWv*2FKPXCIGKw*2B6RK5TWoz9gPkl6G*2FSFrCgU*3D&K=85a2b03c-36a5-42a4-b107-f35851ec663e&D=638498268114930847&PID=19084&TID=00000000-0000-0000-0000-000000000001&CMID=null
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94f5f46f8,0x7ff94f5f4708,0x7ff94f5f4718
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4621456420129609403,305212679913497010,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4588 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
3331e545cc033d53c115f2ae72f8fd52

SHA1
3e37180edce9474dbcd9dee323705fb5a7c32fbf

SHA256
784ec7df9a3c6f45b12be70c021f1ea172df7b2ad642d736a782c2babb99dafa

SHA512
8f7c6c5a77004e8690dcda8a13920c301cdc217b0f63a2a69630609e4b79a3b38f1dcd9eeb388741a7eebf0bd8fe1b749cd62be102a5f8197f2aee8b909e8b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
727B

MD5
67a0c3660f858d8f9d7c0afdb57b3d42

SHA1
a5d67c5ff6ec84ded006bfec4ea46d442361cfb9

SHA256
79cb12b973f5d1b9acfd87e120857d40e99374299d9820cdb9a96e06a39754e8

SHA512
e0fbfaf879b60389817d3f92b869fe7545c9087952c6ef7b83824b675e99adbc215a5f2ec90b29da2181f081b89c6942d1c4a19de98795264c0b7d262eadb4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0ae8e0c5db50796f32f013c55948e4b1

SHA1
56c470da0b7e212a89f1ed3f4a4f4f68961068b0

SHA256
cd1e9c4243853c2cd3742640ceebe7df925254128dd670d1a10f3f091159c155

SHA512
1b2a0786a6619abf4ceca507e33412d8bd569386afafc997e19fea2fc4e993bed1e511037518b88a8369851224f0db44aae34614c3ea3db65da896c9b53422e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e922a6553b2138a15fa6efdf29eeb379

SHA1
3b3eb5459974ebfba157d471dd37d03d595c869c

SHA256
ed9a15af4959087874ac36239246e3cfcf6ffadad18bd05a4b9220084218f433

SHA512
5f31a216b7929544265da95d6983044808e1610bdc61ecbcb1c9620427f693ccb1fffb70eb4ca7fb3760827d65ff47ebd80bdd62f977b62167cac4cb378c77b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aa73e4b39a721c094e86b4c4bcf7ee4b

SHA1
eef08d1327ea517540c413371df74890c96d37f9

SHA256
2de6005cf8df5ff64e2a1c79529011331c22242efc99af2c829712512f43fe46

SHA512
43aa63796567a1e079d45481da46dc2a0cbae721c7721bb7e7a18174b965acf16fe9adb5fcb9120161c0370749308a98e1b03ddcf14c74806da891e92717cbb3

Download Submit