Analysis
-
max time kernel
600s -
max time network
605s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-11-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
CrystalSiegeDemo.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
CrystalSiegeDemo.exe
Resource
win11-20241023-en
Behavioral task
behavioral3
Sample
CrystalSiege.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
CrystalSiege.exe
Resource
win11-20241007-en
General
-
Target
CrystalSiege.exe
-
Size
154.6MB
-
MD5
ff881bc6d9f56f353232a177575d0f1f
-
SHA1
9d2fea770f59f05a6480a5f8915227bc6457f74c
-
SHA256
690323b53f29fd18687a9049d7c4c26cb8346a8a4b65c51660a55ae6141f4dab
-
SHA512
e5bdda697e1572c969081548a84d3553fcd3ea45395eb0de2ae9f0f91308fd54edf0eb222d1d8cb99a12e83196cb3364488e86ebc4991eb63937dd7a1662fc5e
-
SSDEEP
1572864:gTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Tv6E70+Mk
Malware Config
Signatures
-
Hexon family
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exechrome.exechrome.exechrome.exepid Process 2972 chrome.exe 2716 msedge.exe 3672 msedge.exe 1008 msedge.exe 1872 msedge.exe 2164 msedge.exe 4804 chrome.exe 3508 chrome.exe 2384 chrome.exe -
Drops startup file 1 IoCs
Processes:
CrystalSiege.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs CrystalSiege.exe -
Executes dropped EXE 2 IoCs
Processes:
hexon_5342088f19a1291a.exescreenCapture_1.3.2.exepid Process 4428 hexon_5342088f19a1291a.exe 3916 screenCapture_1.3.2.exe -
Loads dropped DLL 4 IoCs
Processes:
CrystalSiege.exehexon_5342088f19a1291a.exepid Process 1216 CrystalSiege.exe 1216 CrystalSiege.exe 4428 hexon_5342088f19a1291a.exe 4428 hexon_5342088f19a1291a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 7 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid Process 3176 tasklist.exe 3232 tasklist.exe 240 tasklist.exe 3364 tasklist.exe 4636 tasklist.exe 744 tasklist.exe 5044 tasklist.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
csc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 2816 taskkill.exe 1284 taskkill.exe 3132 taskkill.exe 2760 taskkill.exe 3104 taskkill.exe 2456 taskkill.exe 4656 taskkill.exe 976 taskkill.exe 2024 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4249425805-3408538557-1766626484-1000\{02736D29-1CDF-4DB8-A2C1-2E2C67F99268} msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
CrystalSiege.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCrystalSiege.exepid Process 2060 CrystalSiege.exe 2060 CrystalSiege.exe 2972 chrome.exe 2972 chrome.exe 3416 msedge.exe 3416 msedge.exe 2892 msedge.exe 2892 msedge.exe 2708 msedge.exe 2708 msedge.exe 1008 msedge.exe 1008 msedge.exe 3672 msedge.exe 3672 msedge.exe 2716 msedge.exe 2716 msedge.exe 1872 msedge.exe 1872 msedge.exe 2164 msedge.exe 2164 msedge.exe 2320 msedge.exe 2320 msedge.exe 1492 CrystalSiege.exe 1492 CrystalSiege.exe 1492 CrystalSiege.exe 1492 CrystalSiege.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exetasklist.exetasklist.exeCrystalSiege.exetasklist.exechrome.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1860 WMIC.exe Token: SeSecurityPrivilege 1860 WMIC.exe Token: SeTakeOwnershipPrivilege 1860 WMIC.exe Token: SeLoadDriverPrivilege 1860 WMIC.exe Token: SeSystemProfilePrivilege 1860 WMIC.exe Token: SeSystemtimePrivilege 1860 WMIC.exe Token: SeProfSingleProcessPrivilege 1860 WMIC.exe Token: SeIncBasePriorityPrivilege 1860 WMIC.exe Token: SeCreatePagefilePrivilege 1860 WMIC.exe Token: SeBackupPrivilege 1860 WMIC.exe Token: SeRestorePrivilege 1860 WMIC.exe Token: SeShutdownPrivilege 1860 WMIC.exe Token: SeDebugPrivilege 1860 WMIC.exe Token: SeSystemEnvironmentPrivilege 1860 WMIC.exe Token: SeRemoteShutdownPrivilege 1860 WMIC.exe Token: SeUndockPrivilege 1860 WMIC.exe Token: SeManageVolumePrivilege 1860 WMIC.exe Token: 33 1860 WMIC.exe Token: 34 1860 WMIC.exe Token: 35 1860 WMIC.exe Token: 36 1860 WMIC.exe Token: SeIncreaseQuotaPrivilege 1860 WMIC.exe Token: SeSecurityPrivilege 1860 WMIC.exe Token: SeTakeOwnershipPrivilege 1860 WMIC.exe Token: SeLoadDriverPrivilege 1860 WMIC.exe Token: SeSystemProfilePrivilege 1860 WMIC.exe Token: SeSystemtimePrivilege 1860 WMIC.exe Token: SeProfSingleProcessPrivilege 1860 WMIC.exe Token: SeIncBasePriorityPrivilege 1860 WMIC.exe Token: SeCreatePagefilePrivilege 1860 WMIC.exe Token: SeBackupPrivilege 1860 WMIC.exe Token: SeRestorePrivilege 1860 WMIC.exe Token: SeShutdownPrivilege 1860 WMIC.exe Token: SeDebugPrivilege 1860 WMIC.exe Token: SeSystemEnvironmentPrivilege 1860 WMIC.exe Token: SeRemoteShutdownPrivilege 1860 WMIC.exe Token: SeUndockPrivilege 1860 WMIC.exe Token: SeManageVolumePrivilege 1860 WMIC.exe Token: 33 1860 WMIC.exe Token: 34 1860 WMIC.exe Token: 35 1860 WMIC.exe Token: 36 1860 WMIC.exe Token: SeDebugPrivilege 240 tasklist.exe Token: SeDebugPrivilege 3364 tasklist.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeDebugPrivilege 4636 tasklist.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeShutdownPrivilege 2972 chrome.exe Token: SeCreatePagefilePrivilege 2972 chrome.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeShutdownPrivilege 2972 chrome.exe Token: SeCreatePagefilePrivilege 2972 chrome.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeShutdownPrivilege 2972 chrome.exe Token: SeCreatePagefilePrivilege 2972 chrome.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe Token: SeCreatePagefilePrivilege 1216 CrystalSiege.exe Token: SeShutdownPrivilege 1216 CrystalSiege.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
chrome.exemsedge.exepid Process 2972 chrome.exe 2716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CrystalSiege.execmd.execmd.execmd.execmd.execmd.exechrome.exedescription pid Process procid_target PID 1216 wrote to memory of 3148 1216 CrystalSiege.exe 79 PID 1216 wrote to memory of 3148 1216 CrystalSiege.exe 79 PID 3148 wrote to memory of 1860 3148 cmd.exe 81 PID 3148 wrote to memory of 1860 3148 cmd.exe 81 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 1452 1216 CrystalSiege.exe 83 PID 1216 wrote to memory of 2060 1216 CrystalSiege.exe 84 PID 1216 wrote to memory of 2060 1216 CrystalSiege.exe 84 PID 1216 wrote to memory of 1284 1216 CrystalSiege.exe 85 PID 1216 wrote to memory of 1284 1216 CrystalSiege.exe 85 PID 1284 wrote to memory of 240 1284 cmd.exe 87 PID 1284 wrote to memory of 240 1284 cmd.exe 87 PID 1216 wrote to memory of 976 1216 CrystalSiege.exe 88 PID 1216 wrote to memory of 976 1216 CrystalSiege.exe 88 PID 976 wrote to memory of 3320 976 cmd.exe 90 PID 976 wrote to memory of 3320 976 cmd.exe 90 PID 1216 wrote to memory of 2852 1216 CrystalSiege.exe 91 PID 1216 wrote to memory of 2852 1216 CrystalSiege.exe 91 PID 2852 wrote to memory of 3364 2852 cmd.exe 93 PID 2852 wrote to memory of 3364 2852 cmd.exe 93 PID 1216 wrote to memory of 4688 1216 CrystalSiege.exe 94 PID 1216 wrote to memory of 4688 1216 CrystalSiege.exe 94 PID 4688 wrote to memory of 4636 4688 cmd.exe 96 PID 4688 wrote to memory of 4636 4688 cmd.exe 96 PID 1216 wrote to memory of 2972 1216 CrystalSiege.exe 97 PID 1216 wrote to memory of 2972 1216 CrystalSiege.exe 97 PID 2972 wrote to memory of 4024 2972 chrome.exe 98 PID 2972 wrote to memory of 4024 2972 chrome.exe 98 PID 2972 wrote to memory of 4500 2972 chrome.exe 99 PID 2972 wrote to memory of 4500 2972 chrome.exe 99 PID 2972 wrote to memory of 4800 2972 chrome.exe 100 PID 2972 wrote to memory of 4800 2972 chrome.exe 100 PID 2972 wrote to memory of 4908 2972 chrome.exe 101 PID 2972 wrote to memory of 4908 2972 chrome.exe 101 PID 2972 wrote to memory of 3508 2972 chrome.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=2024 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\where.exewhere /r . cookies.sqlite3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-320002⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe00fcc40,0x7ffbe00fcc4c,0x7ffbe00fcc583⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1928,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:23⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1760,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:33⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1996,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:83⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2844,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2864 /prefetch:13⤵
- Uses browser remote debugging
PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2868,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2892 /prefetch:13⤵
- Uses browser remote debugging
PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3840,i,14948802929208286442,11344907860202981578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3936 /prefetch:13⤵
- Uses browser remote debugging
PID:2384
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --disable-gpu --no-sandbox --window-position=-32000,-320002⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbdcd63cb8,0x7ffbdcd63cc8,0x7ffbdcd63cd83⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --no-sandbox --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1932 /prefetch:23⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2236 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2608 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9223 --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:13⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,846189012412090945,9142647082753913924,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=4200 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1692
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2172
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4684
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"2⤵PID:1572
-
C:\Windows\system32\where.exewhere /r . *.sqlite3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:1340
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:3200
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:2068
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:5076
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM chrome.exe"2⤵PID:1492
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM chrome.exe3⤵
- Kills process with taskkill
PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /T /IM msedge.exe"2⤵PID:1948
-
C:\Windows\system32\taskkill.exetaskkill /F /T /IM msedge.exe3⤵
- Kills process with taskkill
PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"2⤵PID:868
-
C:\Windows\system32\taskkill.exetaskkill /IM EpicGamesLauncher.exe /F3⤵
- Kills process with taskkill
PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM javaw.exe /F"2⤵PID:4720
-
C:\Windows\system32\taskkill.exetaskkill /IM javaw.exe /F3⤵
- Kills process with taskkill
PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"2⤵PID:1668
-
C:\Windows\system32\taskkill.exetaskkill /IM Steam.exe /F3⤵
- Kills process with taskkill
PID:2760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3584
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wscript "C:\Users\Admin\AppData\Local\Temp\8d29ae364174122e.vbs""2⤵PID:3120
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\8d29ae364174122e.vbs"3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs""2⤵PID:3640
-
C:\Windows\system32\cscript.execscript //B "C:\Users\Admin\AppData\Local\Temp\open.vbs"3⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\hexon_5342088f19a1291a.exe"C:\Users\Admin\AppData\Local\Temp\hexon_5342088f19a1291a.exe" gayarwez discord4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"5⤵PID:1852
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid6⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\20241023-4428-1ki73nv.9ir7f.png" "5⤵PID:3388
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"6⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD7.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE6429B28DBD34D3E88473E90AB6897A5.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3108
-
-
-
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exescreenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\20241023-4428-1ki73nv.9ir7f.png"6⤵
- Executes dropped EXE
PID:3916
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe"C:\Users\Admin\AppData\Local\Temp\CrystalSiege.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 --field-trial-handle=1820,i,13332806268252173299,5270368670886337533,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
5KB
MD575dee9f597d68e0b639fea94dd2c5a97
SHA11efca2064cc2ddcad579cd73a96d138171679902
SHA2565d6e42b5be354ec0f0ccc6ee864cabdf4a791cddf51339ae6714b94b1ac044f3
SHA5124da82d2782d9e44150ca9826acc60129f1edb0725f000547744f1492fae83d67fb2285ae2bebbfb2f7253c35c93bb6d289d397db2c944c02234bb09e816183d5
-
Filesize
411KB
MD5d10c28160b410a2590d5e1e36dbe8a4f
SHA1c75aeb2032ce41911b59dd41f7132fba6842b6fa
SHA2567955a1d75e1b22f72467a515e55766456cd2eedb917c6a948d3bc703785d54d2
SHA512fd77175173102441e2616bf75ad054489e484de0c1734961eed483a451c281abbe854f8330d6c34d9aba480a6f5a68b156d5f71babd8549ed1a96385a384be8c
-
Filesize
137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65
-
Filesize
147KB
MD50898ad8025ec32289fa9763fa603021e
SHA1f243215d3a9045270f633e9571084bee8f9dead4
SHA2564a58480968ad0cab21155732ebd896512dc19b2d82f591c490a55e8cad2231af
SHA51263f34bda890d25f8d8bf557bb1b5404052c32a1fbba67500e0b3b9f249f92fc11423d87ea698ae7af6845441bfd841c13d8c1a2d303031a6d791c2a67ec808b4
-
Filesize
1KB
MD5402eca8f02e3452a108cc0cea37c8e2e
SHA1274e902f529467bf93862ca80c0d49df0d674bde
SHA25640c11b30988f3852c8ad38f5195940b4737673c5b981d44e00ff9672c2bb55b0
SHA512b5fe678e9c0e92959424d576ab2a0329c330d48c32734ee7d53a9a2161bcc680c38bda2becbfffeb44ca983731834d78f70646b9db71441476f3bdb4cb7f9c60
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
178B
MD5d83700f648f245e512af6d529182a588
SHA1b77ae526d97145d3b60bafcbedd35b4768408372
SHA2561363152104930b3357483742c4e6d8e8df8d84e72a3e206259999e13b86fac71
SHA51287559b0ef9cfaee0969dfa530060c95b909b9893f1cc36754da2f9a003c705ad4da1e883d76f7d80b87ea30394008df8a4c15ea58e38f22f2366fcd49270d724
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
13KB
MD5da0f40d84d72ae3e9324ad9a040a2e58
SHA14ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA51230b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9
-
Filesize
12KB
MD5746fe217d8616ba3bc54e934e7e1b029
SHA19a53630b745f4cf5dc7f1abef19d160b19e99551
SHA25655843496c769d655443ee2f15cf07bf8094a0cc504692282afbf776d78ffc6b6
SHA5129773a16b963ac72dcd8d3d776a13198a960022929db3206329e3c46bd03a004479ef368f60c0ba93fa09f5fce14ab1017fca07c01311e76358656f3eb8b9a193
-
Filesize
1KB
MD5a6f2d21624678f54a2abed46e9f3ab17
SHA1a2a6f07684c79719007d434cbd1cd2164565734a
SHA256ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA5120b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676
-
Filesize
350B
MD58951565428aa6644f1505edb592ab38f
SHA19c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA2568814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA5127577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e