Analysis

  • max time kernel
    1700s
  • max time network
    1801s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 16:29

General

  • Target

    Celestial Crack.zip

  • Size

    18.3MB

  • MD5

    3c002d22691e03979237c9b2e59b68fe

  • SHA1

    4eb08de136c65c39ac50cce1eb933f0ebdb32a58

  • SHA256

    3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915

  • SHA512

    b8a40611097d6875e47c76cfa8c8429bf457a6d240f9bc4e4d95a696acfaf87092e9cf29f03131b515c30e5aa03ffe210ae53f788fdcc2906972e963ebeab84f

  • SSDEEP

    393216:7bXvrdREdINeW/FJxcd6CZMczYrjpJViNyfBJNPrTZAHd5s:fBREdIfdG6C9YHNHfB3PROdu

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 26 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.zip"
    1⤵
      PID:1936
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2128
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\" -spe -an -ai#7zMap22461:110:7zEvent32038
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4540
      • C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1412
            • C:\ProviderdriverIntocommon\blocksavesdll.exe
              "C:\ProviderdriverIntocommon\blocksavesdll.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4980
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:860
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4272
                  • C:\Users\Public\sysmon.exe
                    "C:\Users\Public\sysmon.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2868
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:796
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4092
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3612
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4952
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1212
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:764
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:608
        • C:\Program Files\Google\Registry.exe
          "C:\Program Files\Google\Registry.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
        • C:\Program Files\Common Files\services.exe
          "C:\Program Files\Common Files\services.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1292
        • C:\Program Files\Reference Assemblies\fontdrvhost.exe
          "C:\Program Files\Reference Assemblies\fontdrvhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3780
        • C:\Users\Admin\Favorites\Links\TextInputHost.exe
          C:\Users\Admin\Favorites\Links\TextInputHost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Users\Public\sysmon.exe
          C:\Users\Public\sysmon.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5004
        • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe
          "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4792
        • C:\Users\Public\Libraries\RuntimeBroker.exe
          C:\Users\Public\Libraries\RuntimeBroker.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2240
        • C:\Program Files\Google\Registry.exe
          "C:\Program Files\Google\Registry.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1312
        • C:\Program Files\Common Files\services.exe
          "C:\Program Files\Common Files\services.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3988
        • C:\Program Files\Reference Assemblies\fontdrvhost.exe
          "C:\Program Files\Reference Assemblies\fontdrvhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2632
        • C:\Users\Admin\Videos\csrss.exe
          C:\Users\Admin\Videos\csrss.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
        • C:\Users\Admin\Favorites\Links\TextInputHost.exe
          C:\Users\Admin\Favorites\Links\TextInputHost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3928
        • C:\Users\Public\sysmon.exe
          C:\Users\Public\sysmon.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3980
        • C:\Program Files\Google\Registry.exe
          "C:\Program Files\Google\Registry.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2000
        • C:\Program Files\Common Files\services.exe
          "C:\Program Files\Common Files\services.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3264
        • C:\Program Files\Reference Assemblies\fontdrvhost.exe
          "C:\Program Files\Reference Assemblies\fontdrvhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
        • C:\Users\Admin\Favorites\Links\TextInputHost.exe
          C:\Users\Admin\Favorites\Links\TextInputHost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
        • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe
          "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:688
        • C:\Users\Public\Libraries\RuntimeBroker.exe
          C:\Users\Public\Libraries\RuntimeBroker.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3940
        • C:\Program Files\Google\Registry.exe
          "C:\Program Files\Google\Registry.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3872
        • C:\Users\Admin\Videos\csrss.exe
          C:\Users\Admin\Videos\csrss.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
        • C:\Program Files\Common Files\services.exe
          "C:\Program Files\Common Files\services.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4384
        • C:\Program Files\Reference Assemblies\fontdrvhost.exe
          "C:\Program Files\Reference Assemblies\fontdrvhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3928

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProviderdriverIntocommon\88xPq.vbe

          Filesize

          208B

          MD5

          b564930885f2d5234f25eb8251f32a39

          SHA1

          dd29e4edd586ec9f224494a3acac72e463b03496

          SHA256

          fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c

          SHA512

          2f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907

        • C:\ProviderdriverIntocommon\agbLTe.bat

          Filesize

          47B

          MD5

          3a8731fb4a1c8ac840d9da87b0fabc01

          SHA1

          589cd7631e9487d7287028a9b5e3011ddeb93b02

          SHA256

          bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353

          SHA512

          2582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb

        • C:\ProviderdriverIntocommon\blocksavesdll.exe

          Filesize

          1.3MB

          MD5

          ad376a322a947569110fd3b721931efe

          SHA1

          ad9798db572cf3019c2f147ba899d758993727cf

          SHA256

          fe2c7f0a58f640ec6b27f288e81d2e9af3db943f835afbc6367bc4768a12254d

          SHA512

          6a466e4ec5a792630ac560970f8f3339f61c01c03358db702f248e1104b2609b27ede017f1e1039b1b785d879b9cf276da5e1eb10c9aea8f678e76ed72f15efd

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

          Filesize

          1KB

          MD5

          baf55b95da4a601229647f25dad12878

          SHA1

          abc16954ebfd213733c4493fc1910164d825cac8

          SHA256

          ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

          SHA512

          24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

        • C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe

          Filesize

          1.7MB

          MD5

          01e38e791b2dcba64ee53f97b6e4059c

          SHA1

          b732849edbab22895fbf0b4e6caba3f4d5006081

          SHA256

          b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158

          SHA512

          0a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65

        • C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat

          Filesize

          191B

          MD5

          ebfb613652b09a7ab70e2ea10419267c

          SHA1

          17f76c27b1fd7a711baca1edabb7f1c65d724b3f

          SHA256

          830394e43f7f686328910aea6f33948e066dff334fee0bad79917089b7098857

          SHA512

          765c8051b1609f8b13d48e8e8c025d9755bcdbff9a4f7d4c3195d258649f622daf021728d9ff9469e035c65a67c4d00ebbefbfd2caaf0f1c25d06a346437ccdd

        • memory/2416-133-0x000000001CFD0000-0x000000001D4F8000-memory.dmp

          Filesize

          5.2MB

        • memory/2416-132-0x000000001C6D0000-0x000000001C892000-memory.dmp

          Filesize

          1.8MB

        • memory/4980-90-0x0000000002C60000-0x0000000002C7C000-memory.dmp

          Filesize

          112KB

        • memory/4980-91-0x000000001B6D0000-0x000000001B720000-memory.dmp

          Filesize

          320KB

        • memory/4980-94-0x000000001B690000-0x000000001B69E000-memory.dmp

          Filesize

          56KB

        • memory/4980-92-0x0000000002C80000-0x0000000002C96000-memory.dmp

          Filesize

          88KB

        • memory/4980-93-0x000000001B680000-0x000000001B690000-memory.dmp

          Filesize

          64KB

        • memory/4980-89-0x0000000002C50000-0x0000000002C5E000-memory.dmp

          Filesize

          56KB

        • memory/4980-88-0x00000000009E0000-0x0000000000B3A000-memory.dmp

          Filesize

          1.4MB