Malware Analysis Report

2024-11-13 13:46

Sample ID 240716-tzhsha1cnq
Target Celestial Crack.zip
SHA256 3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915
Tags
rat upx dcrat infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d5c1e8b26ab2596b9109d465b2edaaecea6e19b1a976a102b2a855249d70915

Threat Level: Known bad

The file Celestial Crack.zip was found to be: Known bad.

Malicious Activity Summary

rat upx dcrat infostealer spyware stealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 16:29

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Dcrat family

dcrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 16:29

Reported

2024-07-16 17:01

Platform

win10v2004-20240709-en

Max time kernel

1700s

Max time network

1801s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.zip"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\ProviderdriverIntocommon\blocksavesdll.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Program Files\Google\Registry.exe N/A
N/A N/A C:\Program Files\Common Files\services.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
N/A N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Google\Registry.exe N/A
N/A N/A C:\Program Files\Common Files\services.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
N/A N/A C:\Users\Admin\Videos\csrss.exe N/A
N/A N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Program Files\Google\Registry.exe N/A
N/A N/A C:\Program Files\Common Files\services.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
N/A N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Google\Registry.exe N/A
N/A N/A C:\Users\Admin\Videos\csrss.exe N/A
N/A N/A C:\Program Files\Common Files\services.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\wininit.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\ee2ad38f3d4382 C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Reference Assemblies\5b884080fd4f94 C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Google\Registry.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792 C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Common Files\services.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Common Files\c5b4cb5e9653cc C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
File created C:\Program Files\Reference Assemblies\fontdrvhost.exe C:\ProviderdriverIntocommon\blocksavesdll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\ProviderdriverIntocommon\blocksavesdll.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A
N/A N/A C:\Users\Public\sysmon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\ProviderdriverIntocommon\blocksavesdll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Favorites\Links\TextInputHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\fontdrvhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe C:\Windows\SysWOW64\WScript.exe
PID 1512 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe C:\Windows\SysWOW64\WScript.exe
PID 1512 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 1412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 1412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 1412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderdriverIntocommon\blocksavesdll.exe
PID 1412 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderdriverIntocommon\blocksavesdll.exe
PID 4980 wrote to memory of 860 N/A C:\ProviderdriverIntocommon\blocksavesdll.exe C:\Windows\System32\cmd.exe
PID 4980 wrote to memory of 860 N/A C:\ProviderdriverIntocommon\blocksavesdll.exe C:\Windows\System32\cmd.exe
PID 860 wrote to memory of 4272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 860 wrote to memory of 4272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 860 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Users\Public\sysmon.exe
PID 860 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Users\Public\sysmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Celestial Crack.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\" -spe -an -ai#7zMap22461:110:7zEvent32038

C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "

C:\ProviderdriverIntocommon\blocksavesdll.exe

"C:\ProviderdriverIntocommon\blocksavesdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\sysmon.exe

"C:\Users\Public\sysmon.exe"

C:\Program Files\Google\Registry.exe

"C:\Program Files\Google\Registry.exe"

C:\Program Files\Common Files\services.exe

"C:\Program Files\Common Files\services.exe"

C:\Program Files\Reference Assemblies\fontdrvhost.exe

"C:\Program Files\Reference Assemblies\fontdrvhost.exe"

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Users\Public\sysmon.exe

C:\Users\Public\sysmon.exe

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"

C:\Users\Public\Libraries\RuntimeBroker.exe

C:\Users\Public\Libraries\RuntimeBroker.exe

C:\Program Files\Google\Registry.exe

"C:\Program Files\Google\Registry.exe"

C:\Program Files\Common Files\services.exe

"C:\Program Files\Common Files\services.exe"

C:\Program Files\Reference Assemblies\fontdrvhost.exe

"C:\Program Files\Reference Assemblies\fontdrvhost.exe"

C:\Users\Admin\Videos\csrss.exe

C:\Users\Admin\Videos\csrss.exe

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Users\Public\sysmon.exe

C:\Users\Public\sysmon.exe

C:\Program Files\Google\Registry.exe

"C:\Program Files\Google\Registry.exe"

C:\Program Files\Common Files\services.exe

"C:\Program Files\Common Files\services.exe"

C:\Program Files\Reference Assemblies\fontdrvhost.exe

"C:\Program Files\Reference Assemblies\fontdrvhost.exe"

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Users\Admin\Favorites\Links\TextInputHost.exe

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe

"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe"

C:\Users\Public\Libraries\RuntimeBroker.exe

C:\Users\Public\Libraries\RuntimeBroker.exe

C:\Program Files\Google\Registry.exe

"C:\Program Files\Google\Registry.exe"

C:\Users\Admin\Videos\csrss.exe

C:\Users\Admin\Videos\csrss.exe

C:\Program Files\Common Files\services.exe

"C:\Program Files\Common Files\services.exe"

C:\Program Files\Reference Assemblies\fontdrvhost.exe

"C:\Program Files\Reference Assemblies\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 613761cm.n9shteam1.top udp
US 104.21.22.205:80 613761cm.n9shteam1.top tcp
US 104.21.22.205:80 613761cm.n9shteam1.top tcp
US 8.8.8.8:53 205.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Celestial Crack\Loader.exe

MD5 01e38e791b2dcba64ee53f97b6e4059c
SHA1 b732849edbab22895fbf0b4e6caba3f4d5006081
SHA256 b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158
SHA512 0a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65

C:\ProviderdriverIntocommon\88xPq.vbe

MD5 b564930885f2d5234f25eb8251f32a39
SHA1 dd29e4edd586ec9f224494a3acac72e463b03496
SHA256 fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c
SHA512 2f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907

C:\ProviderdriverIntocommon\agbLTe.bat

MD5 3a8731fb4a1c8ac840d9da87b0fabc01
SHA1 589cd7631e9487d7287028a9b5e3011ddeb93b02
SHA256 bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353
SHA512 2582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb

C:\ProviderdriverIntocommon\blocksavesdll.exe

MD5 ad376a322a947569110fd3b721931efe
SHA1 ad9798db572cf3019c2f147ba899d758993727cf
SHA256 fe2c7f0a58f640ec6b27f288e81d2e9af3db943f835afbc6367bc4768a12254d
SHA512 6a466e4ec5a792630ac560970f8f3339f61c01c03358db702f248e1104b2609b27ede017f1e1039b1b785d879b9cf276da5e1eb10c9aea8f678e76ed72f15efd

memory/4980-88-0x00000000009E0000-0x0000000000B3A000-memory.dmp

memory/4980-89-0x0000000002C50000-0x0000000002C5E000-memory.dmp

memory/4980-90-0x0000000002C60000-0x0000000002C7C000-memory.dmp

memory/4980-93-0x000000001B680000-0x000000001B690000-memory.dmp

memory/4980-92-0x0000000002C80000-0x0000000002C96000-memory.dmp

memory/4980-91-0x000000001B6D0000-0x000000001B720000-memory.dmp

memory/4980-94-0x000000001B690000-0x000000001B69E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uaov4e74DQ.bat

MD5 ebfb613652b09a7ab70e2ea10419267c
SHA1 17f76c27b1fd7a711baca1edabb7f1c65d724b3f
SHA256 830394e43f7f686328910aea6f33948e066dff334fee0bad79917089b7098857
SHA512 765c8051b1609f8b13d48e8e8c025d9755bcdbff9a4f7d4c3195d258649f622daf021728d9ff9469e035c65a67c4d00ebbefbfd2caaf0f1c25d06a346437ccdd

memory/2416-132-0x000000001C6D0000-0x000000001C892000-memory.dmp

memory/2416-133-0x000000001CFD0000-0x000000001D4F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545