hxxps://grabify[.]link/TCCESUCheats and hacks for CS 2

Analysis

max time kernel
75s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://grabify.link/TCCESUCheats and hacks for CS 2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
4088	msedge.exe
4088	msedge.exe
5012	identity_helper.exe
5012	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3760	4088	msedge.exe	85
PID 4088 wrote to memory of 3760	4088	msedge.exe	85
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 3484	4088	msedge.exe	86
PID 4088 wrote to memory of 1844	4088	msedge.exe	87
PID 4088 wrote to memory of 1844	4088	msedge.exe	87
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88
PID 4088 wrote to memory of 3032	4088	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://grabify.link/TCCESUCheats and hacks for CS 2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7dbe46f8,0x7ffa7dbe4708,0x7ffa7dbe4718
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1338810548905772455,16826110651867917703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
99a015cab963224c89eb4cc1b1086da0

SHA1
1d8b209c6553a56995bf2468b0b50352e1af59a4

SHA256
1c2ce987d0dd4959867d1a810f5a63f75e5d4ee6e8f0e4c7c3adbc33e0175551

SHA512
4d5a0683032837862ee1b0d89d99879771217af26fd3b9ad8c07bb51ac735a6e198897da9eccb79a816d26c20cdeb7fae889a0525d5dc9e11645e8b02ce09330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5ad59fc480cdb0acf33c03f6eec7a802

SHA1
0fcf49781b8533e1aa90ce2035e0eaa75bc51e5d

SHA256
a917011a4de1d5c0e8e79d99dd3b7238fb86ace204b64d1a5715ba5811692b12

SHA512
590cef26f6a710951fa99724fc01d236307da8731b4b08af9ad4f0c088bb65de6c51ffd50767be86093a31b544c4a716de371668bde24a859b8c403b029b52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3bc6cc2ffb4106dd65f39b3b7fc6935

SHA1
ffa0ac8d7c73ef5cfeb5a17f5a64c71a530afcee

SHA256
c98ab4c339b8f53d0de60b2a8369726bc09dde5ef99e07977ea596209e721c61

SHA512
8111fc804df54ed6d105e182e2ace7c81cfc8369d4708ad074d82674bafc058bcd95f1f7666cef33db0bddc4280fc01403d62d601f0a68bf863413850b3e3b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
898a338cb6f21a2c9a6a1ed4d9cc3820

SHA1
305de8e2abae10c7917d5f7526e79529ea08195a

SHA256
5f1da13e8dcf195b868c3ce77715d50e9d7fddbb59741c24d7fa3fbd49b0ff9a

SHA512
212ab935996d826f39056c2c5d5f24e956e92e753f3c1eda84876a82ec2e0d7dc358593ee31d97b2354d1f820d1688d690864e207b1a47036640744f787f3642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36ec4f75b87acbb46278d9962326cddb

SHA1
edd9742f22f68b40ed8cf76dcea0dbbcb86f6913

SHA256
68922df9d75f55ed4f36b6f0c07844f31abd4e53a3dae654e339ba878c09831a

SHA512
0f1f609c9bac1302065fe789184e946dcd76f3840996d706e6b1804b563f3e066eaac0b3bc7dd3b6a31f0fbec3e7280e55fa7f529962b1d79b42154a8f00095d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d466b2ddc4b15c3e6545dead950e74fe

SHA1
e6bdf30f9606b1418874a06d342835359e718797

SHA256
a662d18c788f8bce0dd5b812c2667389559fa00c5d91409789c892e120984ffd

SHA512
34fdc1c5a1242949513f864a025630e13d871cd8daf5d5670f5badd571ddf8643cf8bfdfc89bf3e38161b5a97075f8e783e16469857ad2f8edd7e1667e2e6694

Download Submit