fee789b3564d2b48e231b12b4fbe28c45d64704e3740c9a21a921699dfba35c3

Resubmissions

01/07/2024, 07:04

240701-hv4nmasckk 3

01/07/2024, 06:54

240701-hpnp8aydne 6

01/07/2024, 06:50

240701-hmedrsydjc 6

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/CeleryApp.exe
Size

8.8MB
MD5

d2a7e4f3b8fdc023e6579c35e5e83769
SHA1

43ce10ac8a1c9423cd70991bbb92c7ad9632cb2c
SHA256

43f78f751afc09617b735d086c6855471e34d6ca78a6a862b6448bf67a8f0faf
SHA512

d999132c597ff4c407b5de2c4aa9a39f95e92064680b370fb9e6966e1af0726fdd063d8e15e29fda370b163d71ead9da7d103fb36e37a2388432fb18ae47193a
SSDEEP

98304:zQgLIRfyC7egWJ3iJzdjf4fwraOWcD9XdMPABIw/t6KHDicVwzUs7o:zQguhegD4fJOWs9XNBZ16M2cuU

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CeleryApp.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-de-1901.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-de-1996.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-en-gb.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-es.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-gu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-or.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-cu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-bn.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-cy.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-ml.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-nn.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-tk.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-be.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-fr.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-te.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1863198854\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-da.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-et.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-hr.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-la.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-mn-cyrl.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-und-ethi.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1814050655\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-as.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-hu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-hy.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-mr.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1814050655\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-de-ch-1901.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-kn.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-pa.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-pt.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-sl.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\_metadata\verified_contents.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1863198854\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-eu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-nb.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-ta.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1863198854\protocols.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1814050655\Microsoft.CognitiveServices.Speech.core.dll	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-ga.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-en-us.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-hi.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-bg.hyb	msedgewebview2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642904015584429"	msedgewebview2.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	CeleryApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Release\\rstrap.exe,1"	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	CeleryApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL:roblox-player"	CeleryApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	msedgewebview2.exe
2400	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
2072	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 2072	4276	CeleryApp.exe	97
PID 4276 wrote to memory of 2072	4276	CeleryApp.exe	97
PID 2072 wrote to memory of 3796	2072	msedgewebview2.exe	98
PID 2072 wrote to memory of 3796	2072	msedgewebview2.exe	98
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 1364	2072	msedgewebview2.exe	99
PID 2072 wrote to memory of 3112	2072	msedgewebview2.exe	100
PID 2072 wrote to memory of 3112	2072	msedgewebview2.exe	100
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101
PID 2072 wrote to memory of 1112	2072	msedgewebview2.exe	101

C:\Users\Admin\AppData\Local\Temp\Release\CeleryApp.exe
"C:\Users\Admin\AppData\Local\Temp\Release\CeleryApp.exe"
1⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4276.2972.15573736590673936098
  2⤵
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x15c,0x160,0x164,0x138,0x170,0x7ff8a6014ef8,0x7ff8a6014f04,0x7ff8a6014f10
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1704 /prefetch:2
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1904,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2032 /prefetch:3
    3⤵
    PID:3112
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1688,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:8
    3⤵
    PID:1112
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3696,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:1
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4720,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:744
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4356,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2288,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4584,i,105712853887223623,11113407579294478219,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:8
    3⤵
    PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,18320353784098040629,17273168055569331828,262144 --variations-seed-version --mojo-platform-channel-handle=1720 /prefetch:8
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2072_1863198854\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2072_415465565\manifest.json

Filesize
179B

MD5
273755bb7d5cc315c91f47cab6d88db9

SHA1
c933c95cc07b91294c65016d76b5fa0fa25b323b

SHA256
0e22719a850c49b3fba3f23f69c8ff785ce3dee233030ed1ad6e6563c75a9902

SHA512
0e375846a5b10cc29b7846b20a5a9193ea55ff802f668336519ff275fb3d179d8d6654fe1d410764992b85a309a3e001cede2f4acdec697957eb71bdeb234bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
4bfdac7d69f5cc00d781035db3108798

SHA1
8d463aa877daf2ce9481ecfaa15084110f7705ce

SHA256
12951fe2f07599844acb3cdd9ec737936295492675b74b31bdc8a5ba8ff43520

SHA512
782a3d5d9cf6b8561d66f191e56f3f2dba63e0c1c9875cfb6d3afeca084150f630611b265a1e0d92d997d5f8f136505cf6b9cd791c4b84aa312881b578e65972

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
221be4131ed75987593c4ee95ed05f87

SHA1
0fc7edb16f173cd7b6140d1efa7c2278bb7184e3

SHA256
e32db074299d5e5ea223c0cd07c6deeeec3cdde9d1d8fbd1112a59159e807b36

SHA512
c2ec03544c03f833934b288cb501832e3df6eab6cf050a153fd74a2219d407f3a3d907e62a4a0d15e47fef6ddc7e7b1064dd38f9467ff23e8cc635267b366c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\6e44a84b-f03d-4bc4-a70d-7fb58909576a.tmp

Filesize
6KB

MD5
96a2fdbc8d8f8b966e1d8157e34e5a01

SHA1
a2756b12ae52e61b6b8d654ddcf39dae671e2eed

SHA256
221b2b14ca617fa2a330cc573504c4fd0fc0c718bcc3179cffd7c8fd617fd65c

SHA512
df584b76635d066c9a83a33d388e7dfffa7fd02ca87434eeb2691c40e02f6b357622479b8a02f6808e3c40bd790c940a70bb195ba438252c5e0aa4cdfc7cb1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Network\Network Persistent State~RFe592178.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Preferences

Filesize
6KB

MD5
98e82a1ba1b6c690133342eba868734b

SHA1
f42468bac7dca1656d38820795bd1fb82b376830

SHA256
8ef8395e4d4fb12e751ef2d27bccda984fefacb3bfd7f8cc149db234df16fa45

SHA512
8cc0533410655804d49808ab9b373261777de3333889b2b19ac256d120f67a552a7bfe6311377134474e2c27b79bb6b55c5f379a19bd52caf52c383483768dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Preferences

Filesize
6KB

MD5
281957fbb6fe6b474fda21737fff38b9

SHA1
3417a4e83cd647b228e4729aabf8011fa4945189

SHA256
4be7810beb29ac212cb938adb498daa87b0e417330d894a61e75ee39d5f71f38

SHA512
92d6b850c911bc0afcf40b91a215332fde33d25be875828fa33902fbf41970019a27db0ff3417699f676cf02d913ff524433083629c362d13d42f476b9afbd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
1KB

MD5
13cb919da3cb725461db0a72637974c2

SHA1
b7d0fd351ed730aa39bb08ea22eeaad492811242

SHA256
b4d552aee517f82154335402da53d01f87b275b941ebdc0fc0b6489bffb436cf

SHA512
52d6cbb92012fdd81ab230443ba95a68d4607f08498e8a65db730cba8d495a55b0da419d40d78c6957988e849d0a7bfe8936015dad2a93fe047d9fefc1b423ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
2KB

MD5
b85f1652b8c5b945ec74aa7cef49827c

SHA1
c8fe24c6ad0f1dd03081d82c6e7a39456918e64a

SHA256
4e4f5004217aef2686aae9b7300f2abf954cf661b58dff7c5641dedc5afb30ff

SHA512
7a6c8d5cc2b00f14ee5dd773b2873c361768bf8e070ec201c724c18d9df61d4381eb67f74b88a2be065c710fa4a224f264f1ab56953257be84daf5e8b8f1fa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
3KB

MD5
95a3ea58dd374e6b78ae3a8a738e9ffa

SHA1
f3988fb44c20960f257c7f332b3800320283493a

SHA256
abfd7a2e9f74a427a7f0927fc453908cc58132e802fee24d7ab7a8b4d4fec6b4

SHA512
d7caf8da7138ae21934e9b2970d6013a0c545d70a8ee61aecc49e9c630222f8ddc33ed1b18f703ba9c4b938abd12fa02b0fb0986d78b22ea72e38bcd29435605

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
3KB

MD5
1d0397690b8862012a952a14c9949576

SHA1
751079c439318f0987f44292680e298fc9574121

SHA256
e3028e0ef17154da8fac0dcda65c1312468003e2d137ff93be364568f4f4f8c2

SHA512
1dd9f5a552d1ce4f080561babfe790022edb917760739f479360eb8e954db5eb8870c95912b045121eafdd6961c7188df404c241b6e552fb7cc002ebad7c8dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
3KB

MD5
1236a44358f3bac88137e89d76583f1f

SHA1
a1e4a4833c79a46574dc2d60f445d77974e6db42

SHA256
0d959ceacf732b203f428d7427509265b8becb842d1957d761c75438a162429d

SHA512
56eb65c22a951380a7a4d8fcc913de8d8f76afb80dae5ea360dca24878e05b1a4879266fff3f0c5b7db98e8d0e50f410f6ab5129433ad069cd050075f0c134b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
17KB

MD5
909658da8c3498d69c8c308ba2dc09e2

SHA1
df6287dc86aaeb98ce0536a4a610c1fbe7536ee5

SHA256
4d0f8367f289902e3212ac871cc65a16f00b0efcd61b4a885039e1adbafc842d

SHA512
02b2476babc4b93ef76f93e0c532d6f6a8de6457081ee0c010eb19adbd276e95f6fc70acaf989fee5fed9daeccda58a9b34ab65268e9c257653926be709663c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State~RFe57fb19.TMP

Filesize
1KB

MD5
5219034e4c0092382836a7921bfeb5df

SHA1
87e5fd2728bc5d936383a091ce180df4485369c8

SHA256
7b8dd2beccb2fefbba119ec99facce2bc15604fcc04d0b87356b492113085355

SHA512
54b56bc5160a79de72ad148aeb0107679c4355a671b5287dab17094c663eacd8b25dbb4e849cd3f0d38c11b80dfd7efdb92aa24b7437d4baa4f8b31e625852d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\hyphen-data\101.0.4906.0\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
memory/1112-92-0x00007FF8CDCA0000-0x00007FF8CDCA1000-memory.dmp

Filesize
4KB

Download
memory/1112-98-0x00007FF8CC5E0000-0x00007FF8CC5E1000-memory.dmp

Filesize
4KB

Download
memory/1364-201-0x0000019ECCFD0000-0x0000019ECD171000-memory.dmp

Filesize
1.6MB

Download
memory/1364-48-0x00007FF8CDAF0000-0x00007FF8CDAF1000-memory.dmp

Filesize
4KB

Download
memory/2400-523-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-529-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-530-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-531-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-532-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-533-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-528-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-527-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-521-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/2400-522-0x0000022D362E0000-0x0000022D362E1000-memory.dmp

Filesize
4KB

Download
memory/4276-12-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-4-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-209-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-210-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-26-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-6-0x000002757F470000-0x000002757F52A000-memory.dmp

Filesize
744KB

Download
memory/4276-25-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-10-0x000002757F7B0000-0x000002757F7E8000-memory.dmp

Filesize
224KB

Download
memory/4276-11-0x000002757F410000-0x000002757F41E000-memory.dmp

Filesize
56KB

Download
memory/4276-18-0x000002757FA20000-0x000002757FA2A000-memory.dmp

Filesize
40KB

Download
memory/4276-19-0x000002757FA30000-0x000002757FA3A000-memory.dmp

Filesize
40KB

Download
memory/4276-5-0x000002757FAE0000-0x00000275803FE000-memory.dmp

Filesize
9.1MB

Download
memory/4276-3-0x000002757F170000-0x000002757F1C0000-memory.dmp

Filesize
320KB

Download
memory/4276-207-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-2-0x000002757F130000-0x000002757F170000-memory.dmp

Filesize
256KB

Download
memory/4276-1-0x000002757C2E0000-0x000002757CBA6000-memory.dmp

Filesize
8.8MB

Download
memory/4276-206-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-203-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-9-0x000002757F400000-0x000002757F408000-memory.dmp

Filesize
32KB

Download
memory/4276-202-0x00007FF8AD803000-0x00007FF8AD805000-memory.dmp

Filesize
8KB

Download
memory/4276-178-0x000002751ED40000-0x000002751F268000-memory.dmp

Filesize
5.2MB

Download
memory/4276-177-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-7-0x000002757F030000-0x000002757F03E000-memory.dmp

Filesize
56KB

Download
memory/4276-8-0x000002757F530000-0x000002757F5A4000-memory.dmp

Filesize
464KB

Download
memory/4276-0-0x00007FF8AD803000-0x00007FF8AD805000-memory.dmp

Filesize
8KB

Download
memory/4276-13-0x00007FF8AD800000-0x00007FF8AE2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4560-161-0x00007FF8CDAF0000-0x00007FF8CDAF1000-memory.dmp

Filesize
4KB

Download