Analysis

  • max time kernel
    601s
  • max time network
    586s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-11-2024 19:33

General

  • Target

    CrystalSiege.exe

  • Size

    154.6MB

  • MD5

    ff881bc6d9f56f353232a177575d0f1f

  • SHA1

    9d2fea770f59f05a6480a5f8915227bc6457f74c

  • SHA256

    690323b53f29fd18687a9049d7c4c26cb8346a8a4b65c51660a55ae6141f4dab

  • SHA512

    e5bdda697e1572c969081548a84d3553fcd3ea45395eb0de2ae9f0f91308fd54edf0eb222d1d8cb99a12e83196cb3364488e86ebc4991eb63937dd7a1662fc5e

  • SSDEEP

    1572864:gTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Tv6E70+Mk

Malware Config

Signatures

  • Hexon family
  • Hexon stealer

    Hexon is a stealer written in Electron NodeJS.

  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates processes with tasklist 1 TTPs 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 9 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
    "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5360
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5908
    • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
      "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2828
      • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
        "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=2000 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2380
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\system32\where.exe
          where /r . cookies.sqlite
          3⤵
            PID:2216
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4068
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3328
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-32000
          2⤵
          • Uses browser remote debugging
          • Drops file in Windows directory
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb246ccc40,0x7ffb246ccc4c,0x7ffb246ccc58
            3⤵
              PID:4276
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1944,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
              3⤵
                PID:988
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1796,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1752 /prefetch:3
                3⤵
                  PID:1328
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2020,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
                  3⤵
                    PID:4804
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2868,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2880 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:2936
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2884,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:3904
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3992,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3956 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:5544
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-32000
                  2⤵
                  • Uses browser remote debugging
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:5556
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb213b3cb8,0x7ffb213b3cc8,0x7ffb213b3cd8
                    3⤵
                      PID:6020
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --no-sandbox --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1860 /prefetch:2
                      3⤵
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3092
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2032 /prefetch:3
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5064
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2348 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3172
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2432
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5144
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3132
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2404
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                    2⤵
                      PID:5060
                      • C:\Windows\system32\tasklist.exe
                        tasklist
                        3⤵
                        • Enumerates processes with tasklist
                        PID:4432
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                      2⤵
                        PID:2112
                        • C:\Windows\system32\tasklist.exe
                          tasklist
                          3⤵
                          • Enumerates processes with tasklist
                          PID:460
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                        2⤵
                          PID:5448
                          • C:\Windows\system32\tasklist.exe
                            tasklist
                            3⤵
                            • Enumerates processes with tasklist
                            PID:3696
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
                          2⤵
                            PID:5336
                            • C:\Windows\system32\where.exe
                              where /r . *.sqlite
                              3⤵
                                PID:5304
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                              2⤵
                                PID:5168
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /F /T /IM chrome.exe
                                  3⤵
                                  • Kills process with taskkill
                                  PID:3120
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                2⤵
                                  PID:6128
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /F /T /IM msedge.exe
                                    3⤵
                                    • Kills process with taskkill
                                    PID:1320
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                                  2⤵
                                    PID:5364
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /F /T /IM chrome.exe
                                      3⤵
                                      • Kills process with taskkill
                                      PID:3836
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                    2⤵
                                      PID:4440
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /F /T /IM msedge.exe
                                        3⤵
                                        • Kills process with taskkill
                                        PID:1900
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                                      2⤵
                                        PID:4568
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /F /T /IM chrome.exe
                                          3⤵
                                          • Kills process with taskkill
                                          PID:4468
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                        2⤵
                                          PID:4756
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /F /T /IM msedge.exe
                                            3⤵
                                            • Kills process with taskkill
                                            PID:564
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"
                                          2⤵
                                            PID:4560
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /IM EpicGamesLauncher.exe /F
                                              3⤵
                                              • Kills process with taskkill
                                              PID:3476
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM javaw.exe /F"
                                            2⤵
                                              PID:892
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /IM javaw.exe /F
                                                3⤵
                                                • Kills process with taskkill
                                                PID:4680
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"
                                              2⤵
                                                PID:5988
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM Steam.exe /F
                                                  3⤵
                                                  • Kills process with taskkill
                                                  PID:4864
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                2⤵
                                                  PID:5056
                                                  • C:\Windows\system32\tasklist.exe
                                                    tasklist
                                                    3⤵
                                                    • Enumerates processes with tasklist
                                                    PID:3752
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /d /s /c "wscript "C:\Users\Admin\AppData\Local\Temp\dc5e9e191a4523e7.vbs""
                                                  2⤵
                                                    PID:2540
                                                    • C:\Windows\system32\wscript.exe
                                                      wscript "C:\Users\Admin\AppData\Local\Temp\dc5e9e191a4523e7.vbs"
                                                      3⤵
                                                        PID:5440
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /d /s /c "cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs""
                                                      2⤵
                                                        PID:4744
                                                        • C:\Windows\system32\cscript.exe
                                                          cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs"
                                                          3⤵
                                                            PID:5136
                                                            • C:\Users\Admin\AppData\Local\Temp\hexon_d5227351395ba785.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\hexon_d5227351395ba785.exe" gayarwez discord
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              PID:2260
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
                                                                5⤵
                                                                  PID:1608
                                                                  • C:\Windows\System32\reg.exe
                                                                    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
                                                                    6⤵
                                                                      PID:5560
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\20241020-2260-a2xwx7.2ru55.png" "
                                                                    5⤵
                                                                      PID:6048
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
                                                                        6⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5128
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1930.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC20768888A52F4E01B1C45DEDAF4E7593.TMP"
                                                                          7⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5876
                                                                      • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
                                                                        screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\20241020-2260-a2xwx7.2ru55.png"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:2508
                                                              • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                2⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:2024
                                                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                              1⤵
                                                                PID:4864

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                c03d23a8155753f5a936bd7195e475bc

                                                                SHA1

                                                                cdf47f410a3ec000e84be83a3216b54331679d63

                                                                SHA256

                                                                6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

                                                                SHA512

                                                                6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                3d68c7edc2a288ee58e6629398bb9f7c

                                                                SHA1

                                                                6c1909dea9321c55cae38b8f16bd9d67822e2e51

                                                                SHA256

                                                                dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

                                                                SHA512

                                                                0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                5KB

                                                                MD5

                                                                1a9974594b628b7ecefd77b45062f35a

                                                                SHA1

                                                                4f07d80574872c5a76de8ef45e368656b7fc6da4

                                                                SHA256

                                                                dd7fb7d5db8ee937380e29325c88efc06a78c9454ccd56324a5a7d5f7a16635b

                                                                SHA512

                                                                100d610a33ca6915b194f163e0f4b8397070480f8ac658e771b9d8ae30945166421d83e929ed1cd5e67ddba84b4f90cc0f5ef6b8c4903d9a4fdf43c0f1b76c10

                                                              • C:\Users\Admin\AppData\Local\Temp\20241020-2260-a2xwx7.2ru55.png

                                                                Filesize

                                                                419KB

                                                                MD5

                                                                568a2dbbfd8c7ab8f6111d0b29e8e05e

                                                                SHA1

                                                                0d9a7a7a33d8fcb97d6f7f9a9c867013a82a0cf2

                                                                SHA256

                                                                88a30c25ae23875f86d553ad36f2fab8559109804bf205d9afcdc480ae6c2c12

                                                                SHA512

                                                                6fcb9fe44ebcef7f7326892e2cc0e89d637487c709e800232108780b0202c259c020cbeb6de122ecfe2d7e1067b0318622108c154e8a8393560c86471ca4e7b0

                                                              • C:\Users\Admin\AppData\Local\Temp\784afb98-e23a-4b22-b99c-ded2c6043a36.tmp.node

                                                                Filesize

                                                                137KB

                                                                MD5

                                                                04bfbfec8db966420fe4c7b85ebb506a

                                                                SHA1

                                                                939bb742a354a92e1dcd3661a62d69e48030a335

                                                                SHA256

                                                                da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

                                                                SHA512

                                                                4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

                                                              • C:\Users\Admin\AppData\Local\Temp\RES1930.tmp

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                8dbb631a5a88cfb301604cf18626f817

                                                                SHA1

                                                                dc7f2123dbb6d5b565602631981e4e45549e5913

                                                                SHA256

                                                                5f51751ba42349b906764906442915df85c9cea6e6650a3f67e6de61bedef55c

                                                                SHA512

                                                                0126d1a149c0a18c4616c597f9840a439a71f0e02786b24f276590bd00f8a387991900361b7143888fbb8043dcc984c0ac91aefa0e168879aa033cd9cbaeab08

                                                              • C:\Users\Admin\AppData\Local\Temp\a1b4d9b4-a50f-4f1d-9d85-66edeb5dcd96.tmp.node

                                                                Filesize

                                                                1.4MB

                                                                MD5

                                                                56192831a7f808874207ba593f464415

                                                                SHA1

                                                                e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                                                                SHA256

                                                                6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                                                                SHA512

                                                                c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                                                              • C:\Users\Admin\AppData\Local\Temp\dc5e9e191a4523e7.vbs

                                                                Filesize

                                                                150KB

                                                                MD5

                                                                728733013de86d0f283e8e692c014b23

                                                                SHA1

                                                                7dda99d8c319ae7503168c015f3002bcf39bf138

                                                                SHA256

                                                                46f1eb4d544ef526270a43af588279ff80df31b71a4d887bcd181ae8022c536e

                                                                SHA512

                                                                6cf3c70c74277637bf7e77726e9bb6fcc7768db5b5f8d0affcbfdcbd040a9febc4ab44be75cfe081c4f7dc571ff310de4091cc2c4ea5e34041552e24a9df7d89

                                                              • C:\Users\Admin\AppData\Local\Temp\open.vbs

                                                                Filesize

                                                                178B

                                                                MD5

                                                                9c06a67b84c41dc3eb24a723faf1bcb0

                                                                SHA1

                                                                f09931552d416fb00447fc6bdb9fe68777280bd8

                                                                SHA256

                                                                01af54dc309f701a9b4b9565db044d9feeff9b565e8e4c983b7851f5f232301d

                                                                SHA512

                                                                5203745911a63d5dd50e8db58fe11e5f26ace4d4394e0cd28ba501fe19dd128af1a56f56a4dcc03a71ba21ef933248e8dc7466a34d8723a6d875e1db20847c95

                                                              • C:\Users\Admin\AppData\Local\Temp\passwords_0.db

                                                                Filesize

                                                                40KB

                                                                MD5

                                                                a182561a527f929489bf4b8f74f65cd7

                                                                SHA1

                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                SHA256

                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                SHA512

                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                              • C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                66a65322c9d362a23cf3d3f7735d5430

                                                                SHA1

                                                                ed59f3e4b0b16b759b866ef7293d26a1512b952e

                                                                SHA256

                                                                f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

                                                                SHA512

                                                                0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

                                                              • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

                                                                Filesize

                                                                13KB

                                                                MD5

                                                                da0f40d84d72ae3e9324ad9a040a2e58

                                                                SHA1

                                                                4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

                                                                SHA256

                                                                818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

                                                                SHA512

                                                                30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

                                                              • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

                                                                Filesize

                                                                12KB

                                                                MD5

                                                                c4c861886d1da20afd1faeff492b2ead

                                                                SHA1

                                                                ea24395813b5cebf46bdf2e3374bb9c12f8f838d

                                                                SHA256

                                                                28c54cc36845e4208e86e045a9cce8292d3682eeb417043723f93491662a1ac5

                                                                SHA512

                                                                3ae16b205dec63dde0194d618e1ea0117cb130c783eb916cfe68f849e7cc09e9e216f2e0eeda256e9f9c1b6db8b0d674cbc18417a3b9eb226351c4788f91d501

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC20768888A52F4E01B1C45DEDAF4E7593.TMP

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                a6f2d21624678f54a2abed46e9f3ab17

                                                                SHA1

                                                                a2a6f07684c79719007d434cbd1cd2164565734a

                                                                SHA256

                                                                ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

                                                                SHA512

                                                                0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

                                                                Filesize

                                                                350B

                                                                MD5

                                                                8951565428aa6644f1505edb592ab38f

                                                                SHA1

                                                                9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

                                                                SHA256

                                                                8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

                                                                SHA512

                                                                7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

                                                              • \??\pipe\crashpad_1544_VANFNNJYNASRGLYF

                                                                MD5

                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                SHA1

                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                SHA256

                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                SHA512

                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                              • memory/2024-193-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-192-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-194-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-198-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-200-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-204-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-203-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-202-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-201-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2024-199-0x0000020E81990000-0x0000020E81991000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/2508-186-0x0000000000240000-0x000000000024A000-memory.dmp

                                                                Filesize

                                                                40KB