Malware analysis https://crystal-launcher.net Malicious activity

Add for printing

URL:	https://crystal-launcher.net
Full analysis:	https://app.any.run/tasks/63e2c4a6-2380-4196-8bd4-8e65e83b5f0a
Verdict:	Malicious activity
Analysis date:	August 04, 2024, 21:55:45
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram antivm
Indicators:
MD5:	009F58D81B4764578BC2D36B42CBE78A
SHA1:	F75B02DDEC603919291C5005FF5BA199B33AA1D8
SHA256:	A712F4FA410759E7FD15B195DE5214C0D3863A63481DD0987259069380A96F4C
SSDEEP:	3:N8KziAv0:2K8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - java.exe (PID: 6840)
  - javaw.exe (PID: 6372)
  - CrystalLauncherN.exe (PID: 8108)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - CrystalLauncherN.exe (PID: 8108)
- Cleans NTFS data stream (Zone Identifier)
  - CrystalLauncherN.exe (PID: 8108)
- The process drops C-runtime libraries
  - CrystalLauncherN.exe (PID: 8108)
- The process creates files with name similar to system file names
  - CrystalLauncherN.exe (PID: 8108)
- Process drops legitimate windows executable
  - CrystalLauncherN.exe (PID: 8108)
- Executable content was dropped or overwritten
  - CrystalLauncherN.exe (PID: 8108)
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)
- There is functionality for VM detection (VMWare)
  - javaw.exe (PID: 6372)
- There is functionality for VM detection (antiVM strings)
  - javaw.exe (PID: 6372)
INFO
- Application launched itself
  - firefox.exe (PID: 6400)
  - firefox.exe (PID: 6428)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 6428)
- Checks supported languages
  - CrystalLauncherN.exe (PID: 8108)
  - TextInputHost.exe (PID: 1020)
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)
- The process uses the downloaded file
  - firefox.exe (PID: 6428)
  - CrystalLauncherN.exe (PID: 8108)
- Manual execution by a user
  - CrystalLauncherN.exe (PID: 8108)
- Reads the computer name
  - CrystalLauncherN.exe (PID: 8108)
  - TextInputHost.exe (PID: 1020)
  - java.exe (PID: 6840)
  - javaw.exe (PID: 6372)
- Reads Environment values
  - CrystalLauncherN.exe (PID: 8108)
- Drops the executable file immediately after the start
  - firefox.exe (PID: 6428)
- Creates files or folders in the user directory
  - CrystalLauncherN.exe (PID: 8108)
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 6428)
- Reads the machine GUID from the registry
  - CrystalLauncherN.exe (PID: 8108)
  - java.exe (PID: 6840)
  - javaw.exe (PID: 6372)
- Checks proxy server information
  - CrystalLauncherN.exe (PID: 8108)
- Disables trace logs
  - CrystalLauncherN.exe (PID: 8108)
- Reads the software policy settings
  - CrystalLauncherN.exe (PID: 8108)
  - javaw.exe (PID: 6372)
- Attempting to use instant messaging service
  - firefox.exe (PID: 6428)
- Create files in a temporary directory
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)
- Reads CPU info
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)
- Process checks computer location settings
  - javaw.exe (PID: 6372)
  - java.exe (PID: 6840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

166

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1020

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

1120

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -childID 10 -isForBrowser -prefsHandle 7784 -prefMapHandle 7788 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe57fdb-ffe2-4699-9e4d-134e07233511} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 1805ad20150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3068

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 11 -isForBrowser -prefsHandle 4024 -prefMapHandle 7796 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b6d07f-e1f9-490a-802e-843a7457b98d} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 1805c17e4d0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3476

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -childID 13 -isForBrowser -prefsHandle 7036 -prefMapHandle 7972 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d856377-1f38-4e7b-99d5-f129a4ffd318} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 180570e0310 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4484

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5068 -childID 5 -isForBrowser -prefsHandle 6000 -prefMapHandle 6004 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3bd7b5c-6900-4409-8699-5a1c00c4b207} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 18059065f50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

5476

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7068 -childID 14 -isForBrowser -prefsHandle 5696 -prefMapHandle 5652 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54fac376-44a5-44c5-9975-ee5f960b6fa6} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 180570e0690 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6208

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 34713 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24b776dc-8a93-4253-9bf4-84a370f469d3} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 180597c4b10 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6300

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 2448 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e285cd-24a3-44bc-bb65-2aeec3ae5dc4} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 18058a52310 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6336

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 5256 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1388 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a2c030-64da-4ee2-9b51-d86426809130} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 18058a52150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6372

"C:\Users\admin\AppData\Roaming\Crystal-Launcher\runtime\64\jdk-17.0.1+12\bin\javaw.exe" -Dfile.encoding="UTF-8" -Dcrystal.windowsEngine="true" -Djava.net.preferIPv4Stack=true -Xmx256M -Xms128M -Dcrystal.wrapper.graphicscard=4D6963726F736F667420426173696320446973706C61792041646170746572 -Dcrystal.wrapper.version=34 -Dcrystal.runtimedir=jdk-17.0.1+12 -cp "C:\Users\admin\AppData\Roaming\Crystal-Launcher\launcher.jar" ovh.leszczu8023.crystalwrapper.Main

C:\Users\admin\AppData\Roaming\Crystal-Launcher\runtime\64\jdk-17.0.1+12\bin\javaw.exe

CrystalLauncherN.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

OpenJDK Platform binary

Version:

17.0.1.0

Modules

Images
c:\users\admin\appdata\roaming\crystal-launcher\runtime\64\jdk-17.0.1+12\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\crystal-launcher\runtime\64\jdk-17.0.1+12\bin\vcruntime140.dll
c:\users\admin\appdata\roaming\crystal-launcher\runtime\64\jdk-17.0.1+12\bin\jli.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

Add for printing

Total events

38 112

Read events

38 028

Write events

Delete events

Modification events


(PID) Process:	(6400) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: A2401BC900000000
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 04471DC900000000
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Progress
Value: 0
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Progress
Value: 1
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:	delete value	Name:	installer.taskbarpin.win10.enabled
Value:
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 0
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1
(PID) Process:	(6428) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0

Add for printing

Executable files

285

Suspicious files

487

Text files

625

Unknown types

Dropped files

PID	Process	Filename		Type
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db-journal		binary
		MD5:12B28E2A6C5821AF983CE748D71AC302	SHA256:C3F4C84D850EBDA034D2C6C283ED6FE41C73354A04EB925DFB68605E54B0F178
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:7A97B8DBC4F98D175F958C00F463A52A	SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmp		dbf
		MD5:4006DDC2918B16C7EF5516C58373842B	SHA256:269EA23B77EDE0874628BD8611BCC5A3E87E0C44CA8A821C0D028B929D4F468F
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.bin		binary
		MD5:95D1E3921F28656AEBBDC8C30C03C7A4	SHA256:6977CA622A04F6965DC17D1ADA8A24B3F37AD5537101F1F93BDD1C094FDCC986
6428	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:7A97B8DBC4F98D175F958C00F463A52A	SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

237

DNS requests

222

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6428	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6428	firefox.exe	POST	200	95.101.54.131:80	http://r11.o.lencr.org/	unknown	—	—	unknown
6428	firefox.exe	POST	200	95.101.54.216:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6428	firefox.exe	POST	200	104.18.38.233:80	http://ocsp.sectigo.com/	unknown	—	—	unknown
6428	firefox.exe	POST	200	104.18.38.233:80	http://ocsp.sectigo.com/	unknown	—	—	unknown
6428	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
6428	firefox.exe	POST	200	95.101.54.216:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6428	firefox.exe	POST	200	95.101.54.131:80	http://r11.o.lencr.org/	unknown	—	—	unknown
6428	firefox.exe	POST	200	95.101.54.216:80	http://r10.o.lencr.org/	unknown	—	—	unknown
6428	firefox.exe	POST	200	95.101.54.216:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3036	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2796	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6428	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
6428	firefox.exe	188.114.97.3:443	crystal-launcher.net	CLOUDFLARENET	NL	unknown
6428	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
6428	firefox.exe	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	unknown
6428	firefox.exe	95.101.54.216:80	r10.o.lencr.org	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.110	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
crystal-launcher.net	188.114.97.3 188.114.96.3 2a06:98c1:3120::3 2a06:98c1:3121::3	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.171 192.0.0.170	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown

Threats

PID	Process	Class	Message
6428	firefox.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
6428	firefox.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)

Add for printing

Process	Message
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Starting task ResolveAssembilesTask...
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Task ResolveAssembilesTask finished with ActionResult OK
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Starting task SetupEnvTask...
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Setting up newer TLS version...
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Cleaning up attributes...
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Boolean HasArgument(System.String):0] HasArgument /dryRun? = false
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Boolean HasArgument(System.String):0] HasArgument /nosetup? = false
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][System.String GetArgument(System.String):0] HasArgument /params? = false
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Task SetupEnvTask finished with ActionResult OK
CrystalLauncherN.exe	[8/4/2024 9:56:20 PM][Void Log(System.String, System.String):0] [INFO] Starting task RuntimeModelTask...

General Info

https://crystal-launcher.net

009F58D81B4764578BC2D36B42CBE78A

F75B02DDEC603919291C5005FF5BA199B33AA1D8

A712F4FA410759E7FD15B195DE5214C0D3863A63481DD0987259069380A96F4C

3:N8KziAv0:2K8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Reads security settings of Internet Explorer

Cleans NTFS data stream (Zone Identifier)

The process drops C-runtime libraries

The process creates files with name similar to system file names

Process drops legitimate windows executable

Executable content was dropped or overwritten

There is functionality for VM detection (VMWare)

There is functionality for VM detection (antiVM strings)

INFO

Application launched itself

Reads Microsoft Office registry keys

Checks supported languages

The process uses the downloaded file

Manual execution by a user

Reads the computer name

Reads Environment values

Drops the executable file immediately after the start

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Checks proxy server information

Disables trace logs

Reads the software policy settings

Attempting to use instant messaging service

Create files in a temporary directory

Reads CPU info

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings