Analysis Overview
SHA256
3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915
Threat Level: Known bad
The file Celestial Crack.zip was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
DCRat payload
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
UPX packed file
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-16 16:29
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 16:29
Reported
2024-07-16 17:01
Platform
win10v2004-20240709-en
Max time kernel
1700s
Max time network
1801s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\wininit.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\ee2ad38f3d4382 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\5b884080fd4f94 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Google\Registry.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Common Files\services.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Common Files\c5b4cb5e9653cc | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\fontdrvhost.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\sysmon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\" -spe -an -ai#7zMap22461:110:7zEvent32038
C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "
C:\ProviderdriverIntocommon\blocksavesdll.exe
"C:\ProviderdriverIntocommon\blocksavesdll.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\sysmon.exe
"C:\Users\Public\sysmon.exe"
C:\Program Files\Google\Registry.exe
"C:\Program Files\Google\Registry.exe"
C:\Program Files\Common Files\services.exe
"C:\Program Files\Common Files\services.exe"
C:\Program Files\Reference Assemblies\fontdrvhost.exe
"C:\Program Files\Reference Assemblies\fontdrvhost.exe"
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Users\Public\sysmon.exe
C:\Users\Public\sysmon.exe
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"
C:\Users\Public\Libraries\RuntimeBroker.exe
C:\Users\Public\Libraries\RuntimeBroker.exe
C:\Program Files\Google\Registry.exe
"C:\Program Files\Google\Registry.exe"
C:\Program Files\Common Files\services.exe
"C:\Program Files\Common Files\services.exe"
C:\Program Files\Reference Assemblies\fontdrvhost.exe
"C:\Program Files\Reference Assemblies\fontdrvhost.exe"
C:\Users\Admin\Videos\csrss.exe
C:\Users\Admin\Videos\csrss.exe
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Users\Public\sysmon.exe
C:\Users\Public\sysmon.exe
C:\Program Files\Google\Registry.exe
"C:\Program Files\Google\Registry.exe"
C:\Program Files\Common Files\services.exe
"C:\Program Files\Common Files\services.exe"
C:\Program Files\Reference Assemblies\fontdrvhost.exe
"C:\Program Files\Reference Assemblies\fontdrvhost.exe"
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Users\Admin\Favorites\Links\TextInputHost.exe
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"
C:\Users\Public\Libraries\RuntimeBroker.exe
C:\Users\Public\Libraries\RuntimeBroker.exe
C:\Program Files\Google\Registry.exe
"C:\Program Files\Google\Registry.exe"
C:\Users\Admin\Videos\csrss.exe
C:\Users\Admin\Videos\csrss.exe
C:\Program Files\Common Files\services.exe
"C:\Program Files\Common Files\services.exe"
C:\Program Files\Reference Assemblies\fontdrvhost.exe
"C:\Program Files\Reference Assemblies\fontdrvhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 613761cm.n9shteam1.top | udp |
| US | 104.21.22.205:80 | 613761cm.n9shteam1.top | tcp |
| US | 104.21.22.205:80 | 613761cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | 205.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe
| MD5 | 01e38e791b2dcba64ee53f97b6e4059c |
| SHA1 | b732849edbab22895fbf0b4e6caba3f4d5006081 |
| SHA256 | b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158 |
| SHA512 | 0a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65 |
C:\ProviderdriverIntocommon\88xPq.vbe
| MD5 | b564930885f2d5234f25eb8251f32a39 |
| SHA1 | dd29e4edd586ec9f224494a3acac72e463b03496 |
| SHA256 | fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c |
| SHA512 | 2f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907 |
C:\ProviderdriverIntocommon\agbLTe.bat
| MD5 | 3a8731fb4a1c8ac840d9da87b0fabc01 |
| SHA1 | 589cd7631e9487d7287028a9b5e3011ddeb93b02 |
| SHA256 | bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353 |
| SHA512 | 2582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb |
C:\ProviderdriverIntocommon\blocksavesdll.exe
| MD5 | ad376a322a947569110fd3b721931efe |
| SHA1 | ad9798db572cf3019c2f147ba899d758993727cf |
| SHA256 | fe2c7f0a58f640ec6b27f288e81d2e9af3db943f835afbc6367bc4768a12254d |
| SHA512 | 6a466e4ec5a792630ac560970f8f3339f61c01c03358db702f248e1104b2609b27ede017f1e1039b1b785d879b9cf276da5e1eb10c9aea8f678e76ed72f15efd |
memory/4980-88-0x00000000009E0000-0x0000000000B3A000-memory.dmp
memory/4980-89-0x0000000002C50000-0x0000000002C5E000-memory.dmp
memory/4980-90-0x0000000002C60000-0x0000000002C7C000-memory.dmp
memory/4980-93-0x000000001B680000-0x000000001B690000-memory.dmp
memory/4980-92-0x0000000002C80000-0x0000000002C96000-memory.dmp
memory/4980-91-0x000000001B6D0000-0x000000001B720000-memory.dmp
memory/4980-94-0x000000001B690000-0x000000001B69E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat
| MD5 | ebfb613652b09a7ab70e2ea10419267c |
| SHA1 | 17f76c27b1fd7a711baca1edabb7f1c65d724b3f |
| SHA256 | 830394e43f7f686328910aea6f33948e066dff334fee0bad79917089b7098857 |
| SHA512 | 765c8051b1609f8b13d48e8e8c025d9755bcdbff9a4f7d4c3195d258649f622daf021728d9ff9469e035c65a67c4d00ebbefbfd2caaf0f1c25d06a346437ccdd |
memory/2416-132-0x000000001C6D0000-0x000000001C892000-memory.dmp
memory/2416-133-0x000000001CFD0000-0x000000001D4F8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |