Analysis

  • max time kernel
    600s
  • max time network
    605s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-11-2024 00:46

General

  • Target

    CrystalSiege.exe

  • Size

    154.6MB

  • MD5

    ff881bc6d9f56f353232a177575d0f1f

  • SHA1

    9d2fea770f59f05a6480a5f8915227bc6457f74c

  • SHA256

    690323b53f29fd18687a9049d7c4c26cb8346a8a4b65c51660a55ae6141f4dab

  • SHA512

    e5bdda697e1572c969081548a84d3553fcd3ea45395eb0de2ae9f0f91308fd54edf0eb222d1d8cb99a12e83196cb3364488e86ebc4991eb63937dd7a1662fc5e

  • SSDEEP

    1572864:gTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Tv6E70+Mk

Malware Config

Signatures

  • Hexon family
  • Hexon stealer

    Hexon is a stealer written in Electron NodeJS.

  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates processes with tasklist 1 TTPs 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 9 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
    "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1860
    • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
      "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
        "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=2024 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2060
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:240
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\system32\where.exe
          where /r . cookies.sqlite
          3⤵
            PID:3320
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4636
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-32000
          2⤵
          • Uses browser remote debugging
          • Drops file in Windows directory
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe00fcc40,0x7ffbe00fcc4c,0x7ffbe00fcc58
            3⤵
              PID:4024
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1928,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
              3⤵
                PID:4500
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1760,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:3
                3⤵
                  PID:4800
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1996,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:8
                  3⤵
                    PID:4908
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2844,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2864 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:3508
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2868,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2892 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:4804
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3840,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3936 /prefetch:1
                    3⤵
                    • Uses browser remote debugging
                    PID:2384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-32000
                  2⤵
                  • Uses browser remote debugging
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:2716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbdcd63cb8,0x7ffbdcd63cc8,0x7ffbdcd63cd8
                    3⤵
                      PID:4232
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --no-sandbox --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1932 /prefetch:2
                      3⤵
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3416
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2236 /prefetch:3
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2892
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2608 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2708
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1008
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3672
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2164
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
                      3⤵
                      • Uses browser remote debugging
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1872
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=4200 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2320
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                    2⤵
                      PID:1692
                      • C:\Windows\system32\tasklist.exe
                        tasklist
                        3⤵
                        • Enumerates processes with tasklist
                        PID:5044
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                      2⤵
                        PID:2172
                        • C:\Windows\system32\tasklist.exe
                          tasklist
                          3⤵
                          • Enumerates processes with tasklist
                          PID:744
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                        2⤵
                          PID:4684
                          • C:\Windows\system32\tasklist.exe
                            tasklist
                            3⤵
                            • Enumerates processes with tasklist
                            PID:3176
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
                          2⤵
                            PID:1572
                            • C:\Windows\system32\where.exe
                              where /r . *.sqlite
                              3⤵
                                PID:1044
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                              2⤵
                                PID:1340
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /F /T /IM chrome.exe
                                  3⤵
                                  • Kills process with taskkill
                                  PID:1284
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                2⤵
                                  PID:3200
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /F /T /IM msedge.exe
                                    3⤵
                                    • Kills process with taskkill
                                    PID:2816
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                                  2⤵
                                    PID:2068
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /F /T /IM chrome.exe
                                      3⤵
                                      • Kills process with taskkill
                                      PID:976
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                    2⤵
                                      PID:5076
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /F /T /IM msedge.exe
                                        3⤵
                                        • Kills process with taskkill
                                        PID:4656
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"
                                      2⤵
                                        PID:1492
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /F /T /IM chrome.exe
                                          3⤵
                                          • Kills process with taskkill
                                          PID:2456
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"
                                        2⤵
                                          PID:1948
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /F /T /IM msedge.exe
                                            3⤵
                                            • Kills process with taskkill
                                            PID:3132
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"
                                          2⤵
                                            PID:868
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /IM EpicGamesLauncher.exe /F
                                              3⤵
                                              • Kills process with taskkill
                                              PID:2024
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM javaw.exe /F"
                                            2⤵
                                              PID:4720
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /IM javaw.exe /F
                                                3⤵
                                                • Kills process with taskkill
                                                PID:3104
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"
                                              2⤵
                                                PID:1668
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /IM Steam.exe /F
                                                  3⤵
                                                  • Kills process with taskkill
                                                  PID:2760
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                2⤵
                                                  PID:3584
                                                  • C:\Windows\system32\tasklist.exe
                                                    tasklist
                                                    3⤵
                                                    • Enumerates processes with tasklist
                                                    PID:3232
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /d /s /c "wscript "C:\Users\Admin\AppData\Local\Temp\8d29ae364174122e.vbs""
                                                  2⤵
                                                    PID:3120
                                                    • C:\Windows\system32\wscript.exe
                                                      wscript "C:\Users\Admin\AppData\Local\Temp\8d29ae364174122e.vbs"
                                                      3⤵
                                                        PID:3564
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /d /s /c "cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs""
                                                      2⤵
                                                        PID:3640
                                                        • C:\Windows\system32\cscript.exe
                                                          cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs"
                                                          3⤵
                                                            PID:2408
                                                            • C:\Users\Admin\AppData\Local\Temp\hexon_5342088f19a1291a.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\hexon_5342088f19a1291a.exe" gayarwez discord
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              PID:4428
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
                                                                5⤵
                                                                  PID:1852
                                                                  • C:\Windows\System32\reg.exe
                                                                    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
                                                                    6⤵
                                                                      PID:2204
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\20241023-4428-1ki73nv.9ir7f.png" "
                                                                    5⤵
                                                                      PID:3388
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
                                                                        6⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5032
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD7.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE6429B28DBD34D3E88473E90AB6897A5.TMP"
                                                                          7⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3108
                                                                      • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
                                                                        screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\20241023-4428-1ki73nv.9ir7f.png"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:3916
                                                              • C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                2⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:1492
                                                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                              1⤵
                                                                PID:1128

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                d91478312beae099b8ed57e547611ba2

                                                                SHA1

                                                                4b927559aedbde267a6193e3e480fb18e75c43d7

                                                                SHA256

                                                                df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

                                                                SHA512

                                                                4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                d7145ec3fa29a4f2df900d1418974538

                                                                SHA1

                                                                1368d579635ba1a53d7af0ed89bf0b001f149f9d

                                                                SHA256

                                                                efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

                                                                SHA512

                                                                5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                5KB

                                                                MD5

                                                                75dee9f597d68e0b639fea94dd2c5a97

                                                                SHA1

                                                                1efca2064cc2ddcad579cd73a96d138171679902

                                                                SHA256

                                                                5d6e42b5be354ec0f0ccc6ee864cabdf4a791cddf51339ae6714b94b1ac044f3

                                                                SHA512

                                                                4da82d2782d9e44150ca9826acc60129f1edb0725f000547744f1492fae83d67fb2285ae2bebbfb2f7253c35c93bb6d289d397db2c944c02234bb09e816183d5

                                                              • C:\Users\Admin\AppData\Local\Temp\20241023-4428-1ki73nv.9ir7f.png

                                                                Filesize

                                                                411KB

                                                                MD5

                                                                d10c28160b410a2590d5e1e36dbe8a4f

                                                                SHA1

                                                                c75aeb2032ce41911b59dd41f7132fba6842b6fa

                                                                SHA256

                                                                7955a1d75e1b22f72467a515e55766456cd2eedb917c6a948d3bc703785d54d2

                                                                SHA512

                                                                fd77175173102441e2616bf75ad054489e484de0c1734961eed483a451c281abbe854f8330d6c34d9aba480a6f5a68b156d5f71babd8549ed1a96385a384be8c

                                                              • C:\Users\Admin\AppData\Local\Temp\585f954b-8173-4a9b-a087-5bbbb20ced4f.tmp.node

                                                                Filesize

                                                                137KB

                                                                MD5

                                                                04bfbfec8db966420fe4c7b85ebb506a

                                                                SHA1

                                                                939bb742a354a92e1dcd3661a62d69e48030a335

                                                                SHA256

                                                                da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

                                                                SHA512

                                                                4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

                                                              • C:\Users\Admin\AppData\Local\Temp\8d29ae364174122e.vbs

                                                                Filesize

                                                                147KB

                                                                MD5

                                                                0898ad8025ec32289fa9763fa603021e

                                                                SHA1

                                                                f243215d3a9045270f633e9571084bee8f9dead4

                                                                SHA256

                                                                4a58480968ad0cab21155732ebd896512dc19b2d82f591c490a55e8cad2231af

                                                                SHA512

                                                                63f34bda890d25f8d8bf557bb1b5404052c32a1fbba67500e0b3b9f249f92fc11423d87ea698ae7af6845441bfd841c13d8c1a2d303031a6d791c2a67ec808b4

                                                              • C:\Users\Admin\AppData\Local\Temp\RES1FD7.tmp

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                402eca8f02e3452a108cc0cea37c8e2e

                                                                SHA1

                                                                274e902f529467bf93862ca80c0d49df0d674bde

                                                                SHA256

                                                                40c11b30988f3852c8ad38f5195940b4737673c5b981d44e00ff9672c2bb55b0

                                                                SHA512

                                                                b5fe678e9c0e92959424d576ab2a0329c330d48c32734ee7d53a9a2161bcc680c38bda2becbfffeb44ca983731834d78f70646b9db71441476f3bdb4cb7f9c60

                                                              • C:\Users\Admin\AppData\Local\Temp\d28832ba-5d00-43dc-8112-db1c8d622211.tmp.node

                                                                Filesize

                                                                1.4MB

                                                                MD5

                                                                56192831a7f808874207ba593f464415

                                                                SHA1

                                                                e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                                                                SHA256

                                                                6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                                                                SHA512

                                                                c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                                                              • C:\Users\Admin\AppData\Local\Temp\open.vbs

                                                                Filesize

                                                                178B

                                                                MD5

                                                                d83700f648f245e512af6d529182a588

                                                                SHA1

                                                                b77ae526d97145d3b60bafcbedd35b4768408372

                                                                SHA256

                                                                1363152104930b3357483742c4e6d8e8df8d84e72a3e206259999e13b86fac71

                                                                SHA512

                                                                87559b0ef9cfaee0969dfa530060c95b909b9893f1cc36754da2f9a003c705ad4da1e883d76f7d80b87ea30394008df8a4c15ea58e38f22f2366fcd49270d724

                                                              • C:\Users\Admin\AppData\Local\Temp\passwords_0.db

                                                                Filesize

                                                                40KB

                                                                MD5

                                                                a182561a527f929489bf4b8f74f65cd7

                                                                SHA1

                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                SHA256

                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                SHA512

                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                              • C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                66a65322c9d362a23cf3d3f7735d5430

                                                                SHA1

                                                                ed59f3e4b0b16b759b866ef7293d26a1512b952e

                                                                SHA256

                                                                f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

                                                                SHA512

                                                                0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

                                                              • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

                                                                Filesize

                                                                13KB

                                                                MD5

                                                                da0f40d84d72ae3e9324ad9a040a2e58

                                                                SHA1

                                                                4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

                                                                SHA256

                                                                818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

                                                                SHA512

                                                                30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

                                                              • C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

                                                                Filesize

                                                                12KB

                                                                MD5

                                                                746fe217d8616ba3bc54e934e7e1b029

                                                                SHA1

                                                                9a53630b745f4cf5dc7f1abef19d160b19e99551

                                                                SHA256

                                                                55843496c769d655443ee2f15cf07bf8094a0cc504692282afbf776d78ffc6b6

                                                                SHA512

                                                                9773a16b963ac72dcd8d3d776a13198a960022929db3206329e3c46bd03a004479ef368f60c0ba93fa09f5fce14ab1017fca07c01311e76358656f3eb8b9a193

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE6429B28DBD34D3E88473E90AB6897A5.TMP

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                a6f2d21624678f54a2abed46e9f3ab17

                                                                SHA1

                                                                a2a6f07684c79719007d434cbd1cd2164565734a

                                                                SHA256

                                                                ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

                                                                SHA512

                                                                0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

                                                                Filesize

                                                                350B

                                                                MD5

                                                                8951565428aa6644f1505edb592ab38f

                                                                SHA1

                                                                9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

                                                                SHA256

                                                                8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

                                                                SHA512

                                                                7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

                                                              • \??\pipe\crashpad_2972_MSVOQSJFGOEJURZX

                                                                MD5

                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                SHA1

                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                SHA256

                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                SHA512

                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                              • memory/1492-197-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-195-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-196-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-201-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-202-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-206-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-204-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-203-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-205-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/1492-207-0x0000020739520000-0x0000020739521000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/3916-189-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

                                                                Filesize

                                                                40KB