File name:

CristalixLauncher.exe

Full analysis: https://app.any.run/tasks/79830eb2-51ed-44fd-8da6-f278500dc58a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 02, 2024, 16:52:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

193BF9DF72716B53F91091865AD95A3D

SHA1:

FBE2127CCF12D1FA2D5D2FD38920C767B9595648

SHA256:

29750D9486434D4C2FEA75EDE7E18672C9E9FD36BF1F611674E0AE0CB46616FE

SSDEEP:

196608:Zn3JrwbTDBDkmWt7i8heVQzSjVpAK/IpjIAUPC:Z3xw3NDkmieVQzyYjWPC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks for Java to be installed

      • CristalixLauncher.exe (PID: 2184)

    • Detected use of alternative data streams (AltDS)

      • javaw.exe (PID: 116)

  • INFO

    • Create files in a temporary directory

      • javaw.exe (PID: 116)

    • Checks supported languages

      • CristalixLauncher.exe (PID: 2184)
      • javaw.exe (PID: 116)

    • Drops the executable file immediately after the start

      • CristalixLauncher.exe (PID: 2184)
      • javaw.exe (PID: 116)

    • Reads the computer name

      • javaw.exe (PID: 116)

    • Creates files in the program directory

      • javaw.exe (PID: 116)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 116)

    • Process drops legitimate windows executable

      • javaw.exe (PID: 116)

    • The process drops C-runtime libraries

      • javaw.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:09:19 08:58:07+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.32
CodeSize: 54784
InitializedDataSize: 107520
UninitializedDataSize: -
EntryPoint: 0x351d
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Cristalix
FileDescription: Cristalix Launcher
FileVersion: 1.1.0.0
InternalName: Cristalix.exe
LegalCopyright: Copyright (C) 2018-2022 Cristalix
OriginalFileName: Cristalix.exe
ProductName: Cristalix Launcher
ProductVersion: 1.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cristalixlauncher.exe no specs javaw.exe icacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=15 -jar "CristalixLauncher.exe"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe
CristalixLauncher.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1056C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
2184"C:\Users\admin\Desktop\CristalixLauncher.exe" C:\Users\admin\Desktop\CristalixLauncher.exeexplorer.exe
User:
admin
Company:
Cristalix
Integrity Level:
MEDIUM
Description:
Cristalix Launcher
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\cristalixlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
623
Read events
622
Write events
1
Delete events
0

Modification events

(PID) Process:(116) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
Executable files
66
Suspicious files
47
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
116javaw.exeC:\Users\Public\desktop.ini:WinDeviceIdbinary
MD5:1AC637EED1C3FE61326D7B974F57201F
SHA256:C09B250909066C35AA9B36B7914834E686822295141CFCF5BF4195A62958044F
116javaw.exeC:\Users\admin\AppData\Local\Temp\+JXF2938560549448534409.tmpbinary
MD5:ADE91F473255991F410F61857696434B
SHA256:C8289A870D238AA042BDFD09364FE6DEA524BCD1EA485341878D8C75A32AB444
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\calendars.propertiestext
MD5:2427A39CB407A43B67976B83CEB3775A
SHA256:0915E64C2A86C35B0B60DF2BC6FDCFC4CD41CD4064EE0D5BAC287E2406E203C9
116javaw.exeC:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamptext
MD5:271B78A4D851E7EBF81A3BE003D77E98
SHA256:2E0BE7BA64A99F93E7C8C59BA0F0C6D103DC947DDDFB919B74E89D662AB6F590
116javaw.exeC:\Users\admin\AppData\Local\Temp\+JXF7716445647814601026.tmpbinary
MD5:C8B6E083AF3F94009801989C3739425E
SHA256:421F26B23E2BE6B98373D32ACD3CB2897B154D4BF0A77D26534CE476E4CBED53
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\logging.propertiestext
MD5:809C50033F825EFF7FC70419AAF30317
SHA256:CE1688FE641099954572EA856953035B5188E2CA228705001368250337B9B232
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\fontconfig.bfcbinary
MD5:10659AAB9EC6DA525961D99582EA44E3
SHA256:C43695D3EAF2F8FEFD7EB82F3F565039B8E2ECF8D88E401E4612377A9F5BD6FD
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\sound.propertiestext
MD5:4F95242740BFB7B133B879597947A41E
SHA256:299C2360B6155EB28990EC49CD21753F97E43442FE8FAB03E04F3E213DF43A66
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\meta-indextext
MD5:31EC4F5CFB18D6D2695D60D7DE328E68
SHA256:EA44C68280599283CCC9786AEF87EC614DCB86EB48DF47268B5A8E0E17F51ADC
116javaw.exeC:\Users\admin\.cristalix\updates\jre-win-32\lib\psfont.properties.jatext
MD5:D4C735BF5756759A1C3BC8DE408629FC
SHA256:5A4BD51B969BF187FF86D94F4A71FDFBFA602762975FA3C73D264B4575F7C78F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
142
TCP/UDP connections
63
DNS requests
11
Threats
68

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/8978d347c4ecd261
unknown
text
2.32 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/77397409dbb62cf3
unknown
binary
3.93 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/77cabd161ccc1e72
unknown
text
3.84 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/e019f2f585eb81a4
unknown
text
5.42 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/243d7f27fe2b4f5b
unknown
binary
3.58 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/cfa85a64b1f11744
unknown
text
11.2 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/f85e3e849806d61f
unknown
text
14.6 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/045457506b4a0eb7
unknown
text
4.13 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/61a87d9e10acf2d0
unknown
text
2.40 Kb
116
javaw.exe
GET
200
104.26.11.197:80
http://cdn2.c7x.dev/launchserverv2/5921b5cd77439266
unknown
text
1.96 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
116
javaw.exe
104.26.10.197:443
staticlnchr.c7x.dev
CLOUDFLARENET
US
unknown
116
javaw.exe
104.26.11.197:443
staticlnchr.c7x.dev
CLOUDFLARENET
US
unknown
116
javaw.exe
104.26.4.2:443
cristalix.gg
CLOUDFLARENET
US
unknown
116
javaw.exe
87.240.185.149:443
sun9-46.userapi.com
VKontakte Ltd
RU
unknown
116
javaw.exe
93.186.227.148:443
sun9-41.userapi.com
VKontakte Ltd
RU
unknown
116
javaw.exe
93.186.227.149:443
sun9-42.userapi.com
VKontakte Ltd
RU
unknown
116
javaw.exe
104.26.11.197:80
staticlnchr.c7x.dev
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
staticlnchr.c7x.dev
  • 104.26.10.197
  • 104.26.11.197
  • 172.67.72.205
unknown
dynamiclnchr.c7x.dev
  • 104.26.11.197
  • 172.67.72.205
  • 104.26.10.197
unknown
cristalix.gg
  • 104.26.4.2
  • 172.67.70.249
  • 104.26.5.2
unknown
sun9-46.userapi.com
  • 87.240.185.149
unknown
sun9-41.userapi.com
  • 93.186.227.148
unknown
sun9-42.userapi.com
  • 93.186.227.149
unknown
cdn2.c7x.dev
  • 104.26.11.197
  • 172.67.72.205
  • 104.26.10.197
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO JAR Size Under 30K Size - Potentially Hostile
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO Packed Executable Download
Misc activity
ET INFO Packed Executable Download
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CristalixLauncher.exe