Analysis
-
max time kernel
601s -
max time network
586s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
CrystalSiegeDemo.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
CrystalSiegeDemo.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
CrystalSiege.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
CrystalSiege.exe
Resource
win11-20241007-en
General
-
Target
CrystalSiege.exe
-
Size
154.6MB
-
MD5
ff881bc6d9f56f353232a177575d0f1f
-
SHA1
9d2fea770f59f05a6480a5f8915227bc6457f74c
-
SHA256
690323b53f29fd18687a9049d7c4c26cb8346a8a4b65c51660a55ae6141f4dab
-
SHA512
e5bdda697e1572c969081548a84d3553fcd3ea45395eb0de2ae9f0f91308fd54edf0eb222d1d8cb99a12e83196cb3364488e86ebc4991eb63937dd7a1662fc5e
-
SSDEEP
1572864:gTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Tv6E70+Mk
Malware Config
Signatures
-
Hexon family
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
msedge.exechrome.exemsedge.exemsedge.exemsedge.exechrome.exechrome.exechrome.exemsedge.exepid Process 3132 msedge.exe 1544 chrome.exe 5556 msedge.exe 5144 msedge.exe 2432 msedge.exe 3904 chrome.exe 2936 chrome.exe 5544 chrome.exe 2404 msedge.exe -
Drops startup file 1 IoCs
Processes:
CrystalSiege.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs CrystalSiege.exe -
Executes dropped EXE 2 IoCs
Processes:
hexon_d5227351395ba785.exescreenCapture_1.3.2.exepid Process 2260 hexon_d5227351395ba785.exe 2508 screenCapture_1.3.2.exe -
Loads dropped DLL 4 IoCs
Processes:
CrystalSiege.exehexon_d5227351395ba785.exepid Process 2932 CrystalSiege.exe 2932 CrystalSiege.exe 2260 hexon_d5227351395ba785.exe 2260 hexon_d5227351395ba785.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 7 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid Process 2380 tasklist.exe 1560 tasklist.exe 3328 tasklist.exe 460 tasklist.exe 4432 tasklist.exe 3696 tasklist.exe 3752 tasklist.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
csc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 1320 taskkill.exe 4680 taskkill.exe 4864 taskkill.exe 1900 taskkill.exe 564 taskkill.exe 3476 taskkill.exe 3836 taskkill.exe 3120 taskkill.exe 4468 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{280C3CC2-55E2-4D64-8DCB-937BCEF1042E} msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
CrystalSiege.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCrystalSiege.exepid Process 5632 CrystalSiege.exe 5632 CrystalSiege.exe 1544 chrome.exe 1544 chrome.exe 3092 msedge.exe 3092 msedge.exe 5064 msedge.exe 5064 msedge.exe 3172 msedge.exe 3172 msedge.exe 2432 msedge.exe 2432 msedge.exe 5556 msedge.exe 5556 msedge.exe 5144 msedge.exe 5144 msedge.exe 2404 msedge.exe 2404 msedge.exe 3132 msedge.exe 3132 msedge.exe 2024 CrystalSiege.exe 2024 CrystalSiege.exe 2024 CrystalSiege.exe 2024 CrystalSiege.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeCrystalSiege.exetasklist.exetasklist.exetasklist.exechrome.exedescription pid Process Token: SeIncreaseQuotaPrivilege 5908 WMIC.exe Token: SeSecurityPrivilege 5908 WMIC.exe Token: SeTakeOwnershipPrivilege 5908 WMIC.exe Token: SeLoadDriverPrivilege 5908 WMIC.exe Token: SeSystemProfilePrivilege 5908 WMIC.exe Token: SeSystemtimePrivilege 5908 WMIC.exe Token: SeProfSingleProcessPrivilege 5908 WMIC.exe Token: SeIncBasePriorityPrivilege 5908 WMIC.exe Token: SeCreatePagefilePrivilege 5908 WMIC.exe Token: SeBackupPrivilege 5908 WMIC.exe Token: SeRestorePrivilege 5908 WMIC.exe Token: SeShutdownPrivilege 5908 WMIC.exe Token: SeDebugPrivilege 5908 WMIC.exe Token: SeSystemEnvironmentPrivilege 5908 WMIC.exe Token: SeRemoteShutdownPrivilege 5908 WMIC.exe Token: SeUndockPrivilege 5908 WMIC.exe Token: SeManageVolumePrivilege 5908 WMIC.exe Token: 33 5908 WMIC.exe Token: 34 5908 WMIC.exe Token: 35 5908 WMIC.exe Token: 36 5908 WMIC.exe Token: SeIncreaseQuotaPrivilege 5908 WMIC.exe Token: SeSecurityPrivilege 5908 WMIC.exe Token: SeTakeOwnershipPrivilege 5908 WMIC.exe Token: SeLoadDriverPrivilege 5908 WMIC.exe Token: SeSystemProfilePrivilege 5908 WMIC.exe Token: SeSystemtimePrivilege 5908 WMIC.exe Token: SeProfSingleProcessPrivilege 5908 WMIC.exe Token: SeIncBasePriorityPrivilege 5908 WMIC.exe Token: SeCreatePagefilePrivilege 5908 WMIC.exe Token: SeBackupPrivilege 5908 WMIC.exe Token: SeRestorePrivilege 5908 WMIC.exe Token: SeShutdownPrivilege 5908 WMIC.exe Token: SeDebugPrivilege 5908 WMIC.exe Token: SeSystemEnvironmentPrivilege 5908 WMIC.exe Token: SeRemoteShutdownPrivilege 5908 WMIC.exe Token: SeUndockPrivilege 5908 WMIC.exe Token: SeManageVolumePrivilege 5908 WMIC.exe Token: 33 5908 WMIC.exe Token: 34 5908 WMIC.exe Token: 35 5908 WMIC.exe Token: 36 5908 WMIC.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeDebugPrivilege 2380 tasklist.exe Token: SeDebugPrivilege 1560 tasklist.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeDebugPrivilege 3328 tasklist.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeShutdownPrivilege 1544 chrome.exe Token: SeCreatePagefilePrivilege 1544 chrome.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeShutdownPrivilege 1544 chrome.exe Token: SeCreatePagefilePrivilege 1544 chrome.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeShutdownPrivilege 1544 chrome.exe Token: SeCreatePagefilePrivilege 1544 chrome.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe Token: SeCreatePagefilePrivilege 2932 CrystalSiege.exe Token: SeShutdownPrivilege 2932 CrystalSiege.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
chrome.exemsedge.exepid Process 1544 chrome.exe 5556 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CrystalSiege.execmd.execmd.execmd.execmd.execmd.exechrome.exedescription pid Process procid_target PID 2932 wrote to memory of 5360 2932 CrystalSiege.exe 77 PID 2932 wrote to memory of 5360 2932 CrystalSiege.exe 77 PID 5360 wrote to memory of 5908 5360 cmd.exe 79 PID 5360 wrote to memory of 5908 5360 cmd.exe 79 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 2828 2932 CrystalSiege.exe 81 PID 2932 wrote to memory of 5632 2932 CrystalSiege.exe 82 PID 2932 wrote to memory of 5632 2932 CrystalSiege.exe 82 PID 2932 wrote to memory of 4028 2932 CrystalSiege.exe 83 PID 2932 wrote to memory of 4028 2932 CrystalSiege.exe 83 PID 4028 wrote to memory of 2380 4028 cmd.exe 85 PID 4028 wrote to memory of 2380 4028 cmd.exe 85 PID 2932 wrote to memory of 4796 2932 CrystalSiege.exe 86 PID 2932 wrote to memory of 4796 2932 CrystalSiege.exe 86 PID 4796 wrote to memory of 2216 4796 cmd.exe 88 PID 4796 wrote to memory of 2216 4796 cmd.exe 88 PID 2932 wrote to memory of 1520 2932 CrystalSiege.exe 89 PID 2932 wrote to memory of 1520 2932 CrystalSiege.exe 89 PID 1520 wrote to memory of 1560 1520 cmd.exe 91 PID 1520 wrote to memory of 1560 1520 cmd.exe 91 PID 2932 wrote to memory of 4068 2932 CrystalSiege.exe 92 PID 2932 wrote to memory of 4068 2932 CrystalSiege.exe 92 PID 4068 wrote to memory of 3328 4068 cmd.exe 94 PID 4068 wrote to memory of 3328 4068 cmd.exe 94 PID 2932 wrote to memory of 1544 2932 CrystalSiege.exe 95 PID 2932 wrote to memory of 1544 2932 CrystalSiege.exe 95 PID 1544 wrote to memory of 4276 1544 chrome.exe 96 PID 1544 wrote to memory of 4276 1544 chrome.exe 96 PID 1544 wrote to memory of 988 1544 chrome.exe 97 PID 1544 wrote to memory of 988 1544 chrome.exe 97 PID 1544 wrote to memory of 1328 1544 chrome.exe 98 PID 1544 wrote to memory of 1328 1544 chrome.exe 98 PID 1544 wrote to memory of 4804 1544 chrome.exe 99 PID 1544 wrote to memory of 4804 1544 chrome.exe 99 PID 1544 wrote to memory of 2936 1544 chrome.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:5360 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=2000 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\where.exewhere /r . cookies.sqlite3⤵PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-320002⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb246ccc40,0x7ffb246ccc4c,0x7ffb246ccc583⤵PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1944,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:23⤵PID:988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1796,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1752 /prefetch:33⤵PID:1328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2020,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:83⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2868,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2880 /prefetch:13⤵
- Uses browser remote debugging
PID:2936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2884,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:13⤵
- Uses browser remote debugging
PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3992,i,4925537920658189347,11945146540947912663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3956 /prefetch:13⤵
- Uses browser remote debugging
PID:5544
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-320002⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb213b3cb8,0x7ffb213b3cc8,0x7ffb213b3cd83⤵PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --no-sandbox --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1860 /prefetch:23⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2032 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2348 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1844,4839515729875910611,1879031351620292009,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5060
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2112
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5448
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"2⤵PID:5336
-
C:\Windows\system32\where.exewhere /r . *.sqlite3⤵PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:5168
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:6128
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:5364
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:4440
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:4568
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:4756
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"2⤵PID:4560
-
C:\Windows\system32\taskkill.exetaskkill /IM EpicGamesLauncher.exe /F3⤵
- Kills process with taskkill
PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM javaw.exe /F"2⤵PID:892
-
C:\Windows\system32\taskkill.exetaskkill /IM javaw.exe /F3⤵
- Kills process with taskkill
PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"2⤵PID:5988
-
C:\Windows\system32\taskkill.exetaskkill /IM Steam.exe /F3⤵
- Kills process with taskkill
PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5056
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wscript "C:\Users\Admin\AppData\Local\Temp\dc5e9e191a4523e7.vbs""2⤵PID:2540
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\dc5e9e191a4523e7.vbs"3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs""2⤵PID:4744
-
C:\Windows\system32\cscript.execscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs"3⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\hexon_d5227351395ba785.exe"C:\Users\Admin\AppData\Local\Temp\hexon_d5227351395ba785.exe" gayarwez discord4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"5⤵PID:1608
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid6⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\20241020-2260-a2xwx7.2ru55.png" "5⤵PID:6048
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"6⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1930.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC20768888A52F4E01B1C45DEDAF4E7593.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5876
-
-
-
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exescreenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\20241020-2260-a2xwx7.2ru55.png"6⤵
- Executes dropped EXE
PID:2508
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1828,i,14174224797291090694,2950330569913280093,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4864
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
5KB
MD51a9974594b628b7ecefd77b45062f35a
SHA14f07d80574872c5a76de8ef45e368656b7fc6da4
SHA256dd7fb7d5db8ee937380e29325c88efc06a78c9454ccd56324a5a7d5f7a16635b
SHA512100d610a33ca6915b194f163e0f4b8397070480f8ac658e771b9d8ae30945166421d83e929ed1cd5e67ddba84b4f90cc0f5ef6b8c4903d9a4fdf43c0f1b76c10
-
Filesize
419KB
MD5568a2dbbfd8c7ab8f6111d0b29e8e05e
SHA10d9a7a7a33d8fcb97d6f7f9a9c867013a82a0cf2
SHA25688a30c25ae23875f86d553ad36f2fab8559109804bf205d9afcdc480ae6c2c12
SHA5126fcb9fe44ebcef7f7326892e2cc0e89d637487c709e800232108780b0202c259c020cbeb6de122ecfe2d7e1067b0318622108c154e8a8393560c86471ca4e7b0
-
Filesize
137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65
-
Filesize
1KB
MD58dbb631a5a88cfb301604cf18626f817
SHA1dc7f2123dbb6d5b565602631981e4e45549e5913
SHA2565f51751ba42349b906764906442915df85c9cea6e6650a3f67e6de61bedef55c
SHA5120126d1a149c0a18c4616c597f9840a439a71f0e02786b24f276590bd00f8a387991900361b7143888fbb8043dcc984c0ac91aefa0e168879aa033cd9cbaeab08
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
150KB
MD5728733013de86d0f283e8e692c014b23
SHA17dda99d8c319ae7503168c015f3002bcf39bf138
SHA25646f1eb4d544ef526270a43af588279ff80df31b71a4d887bcd181ae8022c536e
SHA5126cf3c70c74277637bf7e77726e9bb6fcc7768db5b5f8d0affcbfdcbd040a9febc4ab44be75cfe081c4f7dc571ff310de4091cc2c4ea5e34041552e24a9df7d89
-
Filesize
178B
MD59c06a67b84c41dc3eb24a723faf1bcb0
SHA1f09931552d416fb00447fc6bdb9fe68777280bd8
SHA25601af54dc309f701a9b4b9565db044d9feeff9b565e8e4c983b7851f5f232301d
SHA5125203745911a63d5dd50e8db58fe11e5f26ace4d4394e0cd28ba501fe19dd128af1a56f56a4dcc03a71ba21ef933248e8dc7466a34d8723a6d875e1db20847c95
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
13KB
MD5da0f40d84d72ae3e9324ad9a040a2e58
SHA14ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA51230b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9
-
Filesize
12KB
MD5c4c861886d1da20afd1faeff492b2ead
SHA1ea24395813b5cebf46bdf2e3374bb9c12f8f838d
SHA25628c54cc36845e4208e86e045a9cce8292d3682eeb417043723f93491662a1ac5
SHA5123ae16b205dec63dde0194d618e1ea0117cb130c783eb916cfe68f849e7cc09e9e216f2e0eeda256e9f9c1b6db8b0d674cbc18417a3b9eb226351c4788f91d501
-
Filesize
1KB
MD5a6f2d21624678f54a2abed46e9f3ab17
SHA1a2a6f07684c79719007d434cbd1cd2164565734a
SHA256ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA5120b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676
-
Filesize
350B
MD58951565428aa6644f1505edb592ab38f
SHA19c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA2568814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA5127577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e