Overview
overview
7Static
static
3Crystal-Cl...up.exe
windows7-x64
7Crystal-Cl...up.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3Crystal Cl...er.exe
windows7-x64
7Crystal Cl...er.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 16:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Crystal-Client-Launcher-setup.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Crystal-Client-Launcher-setup.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral11
Sample
Crystal Client Launcher.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
Crystal Client Launcher.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240708-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral24
Sample
swiftshader/libEGL.dll
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral25
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral26
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral27
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
General
-
Target
Crystal Client Launcher.exe
-
Size
133.2MB
-
MD5
f2d952c283c535a6c0247f610d5cf6f2
-
SHA1
eddf220e263c4b8610606f538e0b28574ea359f4
-
SHA256
8dc40dcd2d9d2c65785999249112fe7729d546f378bd85828a65c29db9078628
-
SHA512
9d395fce49cda66e2746abece61ff0d290d43842dcd0a78d4fdb76d145f03d9856ce4f0ad6589bc135700608769fe2b58b798a7f2b64bb64945df70ec761bd4a
-
SSDEEP
1572864:P2HVo9Ck+yOBBdJAVwlymAETslfp409t:v9Ctx3tu
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation Crystal Client Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation Crystal Client Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation Crystal Client Launcher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 discord.com 44 discord.com -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Crystal Client Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Crystal Client Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Crystal Client Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Crystal Client Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Crystal Client Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Crystal Client Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Crystal Client Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Crystal Client Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Crystal Client Launcher.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2372 Crystal Client Launcher.exe 2588 Crystal Client Launcher.exe 2452 Crystal Client Launcher.exe 2452 Crystal Client Launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 1532 2452 Crystal Client Launcher.exe 31 PID 2452 wrote to memory of 2372 2452 Crystal Client Launcher.exe 32 PID 2452 wrote to memory of 2372 2452 Crystal Client Launcher.exe 32 PID 2452 wrote to memory of 2372 2452 Crystal Client Launcher.exe 32 PID 2452 wrote to memory of 2588 2452 Crystal Client Launcher.exe 33 PID 2452 wrote to memory of 2588 2452 Crystal Client Launcher.exe 33 PID 2452 wrote to memory of 2588 2452 Crystal Client Launcher.exe 33 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34 PID 2452 wrote to memory of 2996 2452 Crystal Client Launcher.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe" --type=gpu-process --field-trial-handle=956,3896884502653065101,10711045667087909887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\crystalclient-launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=964 /prefetch:22⤵PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=956,3896884502653065101,10711045667087909887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\crystalclient-launcher" --mojo-platform-channel-handle=1276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\crystalclient-launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --force-device-scale-factor=1 --field-trial-handle=956,3896884502653065101,10711045667087909887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1476 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Client Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\crystalclient-launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --force-device-scale-factor=1 --field-trial-handle=956,3896884502653065101,10711045667087909887,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 /prefetch:12⤵
- Checks computer location settings
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
48B
MD5e0bab2dbf76bc002d237f568b043ddb1
SHA16579138b996bdc54c6497f4d70d07eb5edf3f411
SHA2567ca80dd57fe097eb38b8062806edfda6d665b6b69ec28b940e3245c4932d61b5
SHA5123c62eed2038087117e6df274fbea83593bb661058f0efd86637a507cb7cddb7abfb08778e8b6eecf6a0913faff4ced59d07a3aa6ed979b93c2ba50086ff96753
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
689B
MD55fa6738c0b4f6798f5c9d9ef9b72ef8e
SHA1e706868c97aa705b68ec1264f83b71a438027ab6
SHA256d208a5fd2da621a6b20b007f15989e281881323fbfe3fd0460dac5e2f271e233
SHA5124206d5eeb11efec645f558959acca6a3dfcd3cf6c947167031806cf9ee70ae2489547298e6aaef599c792b0be5dea3d4e2fd9adf8dc93475ac78f0e3f6d0a869