Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
16/03/2025, 11:50
General
-
Target
https://sites.google.com/view/drcheats5
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Drops file in Windows directory 17 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sites.google.com/view/drcheats51⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ffc1b88f208,0x7ffc1b88f214,0x7ffc1b88f2202⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2492,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5032,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4824,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5864,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5856,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,12174022407198303184,8689936060348222503,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5aa9afd16e8041e8c80250b50ea6899e4
SHA1a3a698d431952253255c343f2b35f74e73e63088
SHA2562bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926
SHA512344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff
-
Filesize
3KB
MD5ed0f11f12dcbdc8c0d99edb93bd0cab1
SHA12fe36145d6015bd10cb74b2460ca52c78ae180eb
SHA2566aa5fdc96f157975e4eb8728f6063ed91092c9f2a59d39798a9436c16bcadba1
SHA5129ed9c0a8a35de0cf6a398044ae79cf31ee1e4503f1e60b0f79e129ef589ac8e74b3bda791bf707675ac45baeddb00684ec4693da6b3d278605be8656e2f5d864
-
Filesize
3KB
MD5d4fcf85704f8648e8af8bd4c8cc66aea
SHA1aaa60f0b093572eaeefab392943e066df53811eb
SHA2569c2feff82ebe187df40952c33049aa21eb044537eb5e759133abb7d5b0fa82e5
SHA512ddacac30706cbfa7b49e989c842157db6101b05cb4002497542a1c69a1c68f4780786dd5da2334df9cc38ad109ad9a9ea29eccca680715d47368058b75448da5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD59a90732d7a234a9d90f5d878b496a351
SHA192d8dbc59f5d809e93264f3e0c7d486ff5d13045
SHA25645ce850d04d24b78117b197cf8029ee5c3ab8472f47ad5246fa076db2976e36c
SHA5121ccae0239d63321d66349971407940da6e7ac0d96f261f821a45242d4bc1a8140258810b74a539250a8a4d92700872788bd907a5af988b4d1a920bb9cd012ae3
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD56a9241bc739471036d13e539ab23b865
SHA1d35701ba6238f15eb0a74fc77b74befeccc1d2ec
SHA256f4266fffa9472708bede1777fc7db7bf71db26ec366a127a381e0b9565e5492a
SHA512787febca13b84fe339039805bb4420058c71deef91e2180eb16469a11d68db85c6dfd98819819953749cc50a58c7bee7277f158d026d4fed2af46016f6abb179
-
Filesize
16KB
MD5629147eab9afd0a236c49cc4c033a0bf
SHA1e47ef44942febc7b363750f076bf13c30edc245f
SHA256ab8112aeb30222f8fde24c7f0bab0d947fdca9ced712655cb04b0ee49de2ecc2
SHA51252923628b166262f5e41a8f74d0c35faa1218e24224935ead8e0908f23d0908544d9877adfef823e3d494c53935a25756b8f97b09bdfd4b62ffeafd1c3a1085c
-
Filesize
36KB
MD57809017493b86fc7680104166378ace2
SHA1330199a5ea6fa5005461c2105d8b90a80ce15d96
SHA2568f8e1fed6e2887554adf141f3632a62b2c3febc62280641e823e3f0f01ccce53
SHA51230025acb66afe44de13d1fbf0d757da0d9cd661baded33e73d6c4c6753ac8d4774eeef106f1af6af1484216966c78ab6c49977b8d7d56a63e319e6b335509244
-
Filesize
22KB
MD561b22b1f9faca69a3694c3cdc5259e93
SHA1f4922a26d1fca4d8e382c48e6f7d69422a7dd8ed
SHA2568aec5a01bf3df0f0950b6bdc3d631debe8ef22adfecb22a3d32959e6fd810379
SHA512f779cd312425f332f1c4b3756453d7f9ff1f9896f75fbdf02a022483682398b57c27c2bd998e0ec40940f12999fb3fc72230dfdb6a34ed5f1c47e0470fdf7715
-
Filesize
464B
MD569752247c486d0d97f5daf68ee33919b
SHA13ff55bac35a0ded64c7148e4946662c55d11b16b
SHA256cb71b2df18bccab25948ae8984fdef325efd5a7037c67499d6bda0c840ac7ebb
SHA5129ad7cb190cead0e537273182e7b7e245635791e09c44f5c35c83f4c970b2c2e6b47353415123adb85e6eb4017cdc325d20c8c55a76be914a0a690f6e40d0da6b
-
Filesize
40KB
MD5409dbc0ef1fc29739cd518733840f432
SHA1a754fd48bd9525f8d2804daf53e9423b308ad036
SHA2567d0159f1c87c3b3bd68bc63cda8cf596392c76aabbcea11012bfaf2b871949ae
SHA5127148c081389a156cb875d570a98ada6c7672c57e009a6b4f295f8f6a1ecb72e7010e0a3b484fc3339f7ebc5185526a5a1214f8b88d0ae2fc35caf3e55065e96e
-
Filesize
49KB
MD59674a42786eeaf48c4e5ab1214953d29
SHA1c29ca2ba351305266b4143c3fba6a886c3fff190
SHA256c6ab9016e00929ddac5f4d2b14f2c41256aa5daa053867c4662f53d04ec433b7
SHA512581d328a73f5fda5b72dfd8b951497d49f788987da621b5841d513d2296740f8bb95c24c2498eba85b12e645145fa3467f5b9e58e2c4fd8320c9429d58eb89c4
-
Filesize
54KB
MD5b37428ec593a422ec7cee0e26a943dac
SHA12314b31d09ade20a699de6fcc16f4e28522ce68e
SHA25651fbc8afea1efd944258d68e6f864cc9cd0bb4ba1205031b7175fff1be693d0c
SHA512a78217aa8eaa85b8f6f6d34f3924942d4052453cfe68e9ae3cdb561edd2eb1c0889b356c4456c8f640c020a877cb387240f2c7a574dc7032256f184433b6ff74
-
Filesize
572KB
MD5f5f5b37fd514776f455864502c852773
SHA18d5ed434173fd77feb33cb6cb0fad5e2388d97c6
SHA2562778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e
SHA512b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6
-
Filesize
2KB
MD5e82c05806a81d61dda69bd1e9c45e975
SHA10aea04708390a596be187607d70c880ec37688b0
SHA2560ca91f208ae7bce15726fa178ed090fdd2a74e5224490987c1085303b7ad8924
SHA51219a9f2e9004918761043c4dd672bcfd8c5ffe1f4c5f65573c9c22592255e81ca4e97a25d4d280dbb14256d372d47e139d466524905fd46a1465aea38f2e09b8d