hxxps://github[.]com/sten-code/Celery/releases/tag/2[.]0[.]4

Analysis

max time kernel
210s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/sten-code/Celery/releases/tag/2.0.4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2948	main.exe
1820	main.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\_platform_specific\win_x64\widevinecdm.dll.sig	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\_platform_specific\win_x64\widevinecdm.dll	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\LICENSE	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\manifest.json	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\_metadata\verified_contents.json	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\manifest.fingerprint	Celery.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
1324	msedge.exe
1324	msedge.exe
1440	identity_helper.exe
1440	identity_helper.exe
3808	msedge.exe
3808	msedge.exe
3496	CefSharp.BrowserSubprocess.exe
3496	CefSharp.BrowserSubprocess.exe
3188	CefSharp.BrowserSubprocess.exe
3188	CefSharp.BrowserSubprocess.exe
3188	CefSharp.BrowserSubprocess.exe
3188	CefSharp.BrowserSubprocess.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
1348	Celery.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe
3068	CeleryInject.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3188	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeShutdownPrivilege	1348	Celery.exe
Token: SeCreatePagefilePrivilege	1348	Celery.exe
Token: SeDebugPrivilege	3240	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4296	Celery.exe
Token: SeDebugPrivilege	3104	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe
Token: SeShutdownPrivilege	4296	Celery.exe
Token: SeCreatePagefilePrivilege	4296	Celery.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2948	main.exe
1820	main.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 692	1324	msedge.exe	83
PID 1324 wrote to memory of 692	1324	msedge.exe	83
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 3564	1324	msedge.exe	85
PID 1324 wrote to memory of 908	1324	msedge.exe	86
PID 1324 wrote to memory of 908	1324	msedge.exe	86
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87
PID 1324 wrote to memory of 2036	1324	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/sten-code/Celery/releases/tag/2.0.4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f8d46f8,0x7ffb6f8d4708,0x7ffb6f8d4718
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1926918820266718179,2460274276494730254,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 /prefetch:2
  2⤵
  PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Users\Admin\Desktop\Celery.exe
"C:\Users\Admin\Desktop\Celery.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
- C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Desktop\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\Desktop\debug.log" --field-trial-handle=2012,i,16350939015753882836,15678152206215835726,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2004 /prefetch:2 --host-process-id=1348
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Desktop\cache" --cefsharpexitsub --log-file="C:\Users\Admin\Desktop\debug.log" --field-trial-handle=2460,i,16350939015753882836,15678152206215835726,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:3 --host-process-id=1348
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Users\Admin\Desktop\bin\lsp\main.exe
  "C:\Users\Admin\Desktop\bin\lsp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2948

C:\Users\Admin\Desktop\CeleryInject.exe
"C:\Users\Admin\Desktop\CeleryInject.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Users\Admin\Desktop\Celery.exe
"C:\Users\Admin\Desktop\Celery.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4296
- C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Desktop\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\Desktop\debug.log" --field-trial-handle=2032,i,4104125802925123380,16806164353653669436,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2024 /prefetch:2 --host-process-id=4296
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Desktop\cache" --cefsharpexitsub --log-file="C:\Users\Admin\Desktop\debug.log" --field-trial-handle=2684,i,4104125802925123380,16806164353653669436,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:3 --host-process-id=4296
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Users\Admin\Desktop\bin\lsp\main.exe
  "C:\Users\Admin\Desktop\bin\lsp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1820
- C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\Desktop\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Desktop\cache" --cefsharpexitsub --log-file="C:\Users\Admin\Desktop\debug.log" --field-trial-handle=3584,i,4104125802925123380,16806164353653669436,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:8 --host-process-id=4296
  2⤵
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping4296_528342056\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celery.exe.log

Filesize
3KB

MD5
b7a68c9d939818c30ceb9c2da6431d12

SHA1
0c4ce3c8319d73481ced367f20f53c9e5d385868

SHA256
15940caa8dbf49dcf5e1b74764d7bbd811294739f1fe7f447eff8f4c792cce04

SHA512
86eed6201f588425cc86ae917789a36eeaa3fa1654de6213580e3bcf4b88f685ae2c65f72a325a10d983d52c222c22aff42d12e73b3733b41a0a23cc1862f74b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
192d7616884f938d6ae5490bd41b76a7

SHA1
dab54ce7e8453ddffcb6c77353cac99e3cd56c47

SHA256
7612c151686428292cb2a801eb3e9dad4d4e2a151c91cae9c0fd3b8c26368460

SHA512
124bc9413f024fb6ac8b90939b8854a2a66a6e9cd7f6e26c2cf10017b820413ccf5086cc7eb8c29fe9aaf6fd2e381eb1f497f7475f479d3537b72f59428981f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
42b5a4e81342526eb6f8b40625e49097

SHA1
8ab39cf7669ae0e4bb1146d62af59777d8e30fc4

SHA256
2a7b38b09957e985444c358e91b19b2b7f19016b78b1f1041f39106c4025d2a7

SHA512
e0a8da2d25d09f3cb89df84b95c90439b8408d73faa5d52101025fa984dee87fdbede98985a40a605332253d2b4160e5bcce010c7eb24446a68e679c3b58fcf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98ff21512313da4545d1111f7d965d7c

SHA1
e04a60e0a8c0e72cb33e67caffc989d5f6846184

SHA256
f99dcd82e0450b87cf78d8c6619cdf29fd15e1bb6d92797bb09bc3f0b7870bec

SHA512
c799ada5364db27af185babde96c323b69959b909cc08e2f74f96a0c67435bb05d5cbdba36c31f09c441784335787dc742a99c686c4cb1e69bf7a2f2ab966f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bef056cad4b00a9fa6f95357c174addb

SHA1
160cdff391a3a2e4aaada9913dec8fa294e72df6

SHA256
c48886078f29c862350013af24f5f336d44a83355fbd954521e98ef5a4a8def4

SHA512
d8a750d8447b31c00efad8f787256ae4103b56398070307f9c4eb9e68ad54586cdeb70cc51245fa3105f87c34dd9da49db08292436904c5a206cb1daeca26231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f505aecc5927095a437dabff07367000

SHA1
9a99f5ec99c49da0db0573b5bc435290f613c1c3

SHA256
e0c0b89ae6e860a4a31576e5e466a0a852856be02c99c6c4023ed8f2b7cd56ee

SHA512
c8086bac514fb183a28babcbf7751b19413ece2d24b10d624f9f503b90332f588d73de0c31da2be14fc5b4e2d973456c2db6d8559b7685dda5c7ed9b1a094f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f78d22931854206a49bb4e39db76ba00

SHA1
d61fee1d8a91b7ed531495c547b917b42baad5b2

SHA256
9df0a6ebe76311107496ec2a52bbf02a6221155ef131dfb72efa99e78c5b1d74

SHA512
e95e2017a41a5c74210dca68463edb2401495e47ff06eb44eaa8a5a5c4716b89d2d0431f5d5d332196f3f5b691b4c434420384b6b76937b53c452eff615b920b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3e1851c2cafcc74ad65a38c26f8e201b

SHA1
bb8dc6f91176dcdb979cbebee50ff1252b0b8094

SHA256
c721ebad69e54b5895f88e08a2dd2d7c1dbe08143532423076c2e106b0e9aa09

SHA512
0356ec444bafa8e7fd982b57d5d1d99b7f3ecd65c43f70d379813e60b1d1776ff4c47af00db010e324e99f1853dd71d2b206d333ca119c31f1d271a1ba9a58db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
5399b1fc83aa0be2bd05bd9762efaaa9

SHA1
bd790fdce46a73eb298d6a38dea5cd2b5960d3ba

SHA256
cc8936f7d4f506f108c920f944a7c39e545294e3ac56a85be971bc6c071d86df

SHA512
54e7936b7843bfa5c8da4a27b9f4fe869c3d5e9e19ff6b017872c5b7c9010b6480d031c3b594ba2447b6cfd1cb0e6f7a01feec2e8d9d352c1059bd06ee53c433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec44.TMP

Filesize
874B

MD5
521d725d0d705778b59d3a11df88b2ea

SHA1
552dcd86692f5eaa8e4b965edf08b3c3fb2ac80b

SHA256
c71daf919f3f1452a3199e795ab46a38072f1105e1fd9cd7fa361f0f42a77246

SHA512
0c6646750a53c593a97d1d1de0eff4483ec3ce97a40e8bad2eb10c5db709555a80d901c5e2848994d5942688934cfe9090be7237756d8dcc206aa1ceff7aa149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ba823ccb76fe03ba87f861057624e5d

SHA1
68e99133bfd90b4a90beecf969030abbf463ba86

SHA256
619270077b6bab696a6de4d492b1aeeba0bc4b3e035a739ca812478b7a2d9f2e

SHA512
52b4d6eced9e640ddb9bfdb45c69bbb48743dbcdb8ac9fab394e9fd78516b0fa85dfba7cc5079435a988c53fc7eb045caad6ae48cf50d34e4a564618c06fe894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f5265066c4809d2c6e2d1989fcb58170

SHA1
673f823ced98f675e82072c95655b4590e4cd958

SHA256
6f33fb4ea2ddbc68d60d016cbb7c5f377b55497b689072de65119c26cf8a9443

SHA512
c02056571c67cde4be2ad97e4b496176969cba995fd8987f86b8207456e4eee854f66f579dd91c9413e695b22183b18dc41c12e72f09f1d88ecc88633ab21aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\celery\celeryhome.txt

Filesize
22B

MD5
daef5122cbb03479c6958aa8b47afdbe

SHA1
7a64a21c5cefe0e52bb3bf079aad477e8be33901

SHA256
c5566544c689b61ef6953ce938af78db3fc48c299ea603a88e6b1ffda297ad91

SHA512
ab6c56da1c8054490469c333b335168fe3d415fd6ce96163adb60e20ae903819823f4b58cded087797eae223c69c5cad62a6bd4ae89fdd6011bfae39846a712d

Download Submit
C:\Users\Admin\AppData\Roaming\Celery\Themes\Default.json

Filesize
390B

MD5
53140e18fb33e7e9a25e13f57a4190aa

SHA1
dd72190319ae2b7ddb12a137f50fad2579fcc897

SHA256
1cbd08945e5e8612b690e1eb663917cfb4f84f0083bf7d2c2a61f43e6c455e9b

SHA512
fb9b0456c7c9d468b14db242659d2cda36f7457f9035628d92538850a509e78116972e9890edc3b69d4379aaafb6da76ff2876b446b6953e14914cdfe7dc7b94

Download Submit
C:\Users\Admin\AppData\Roaming\Celery\settings.json

Filesize
116B

MD5
53bd3a85ae0f3c6b08b3c6a6fc58c127

SHA1
686e0e83a7b5279d4efb62b0dd3cd7b9a94195cf

SHA256
69b2c2fa52825ccd32572f2a9083388c8a6d799a6ac72c788fb7a63c1a18387a

SHA512
3c2fdfc69977de09b71cc7dd35e3a63c269bccbbc5e065856336ec3f94fa134f57d763a72069ed98e0bea585b590f45922ae8513478e0c711d8429294e56091a

Download Submit
C:\Users\Admin\Desktop\bin\Ace\js\ace\theme-celery.js

Filesize
3KB

MD5
207bf514a3e84b6b4ddbc6d830a99794

SHA1
e9c75d966bc83b0edc744b851eaf5e804999b37f

SHA256
987ed57188537ceb905586cc7e194a90d8fabb6edd93408442399e5ea66c5729

SHA512
35d880c7d37b6def69e6d672e62112410fa42e3ace1291eeaeb4ac6c3aff9b66854c0340fc36b8fc2ed091c8360dd320ea56e726d463d07ea2963958451e6891

Download Submit
C:\Users\Admin\Desktop\bin\Ace\js\ace\theme-template.js

Filesize
3KB

MD5
8b8642944111b209586f2e574fe73343

SHA1
3d7fb18ed40e4d6fab5104754a19a066cd212b7e

SHA256
4091b14f01980c96d0071240a69b35bb4ea8ec9b90ba5a5ed99ab3b1af5ef520

SHA512
6b009dd6da20bfadef73d853b823488a09a669b7a1b6409277683ce96be5e13c7301f9597a3088e25212a417e6591285cdfbb867a69710faffc874ce7b017dbc

Download Submit
C:\Users\Admin\Desktop\bin\lsp\main.exe

Filesize
36.1MB

MD5
43ad962c7acda3e30300e7d0f1add3fb

SHA1
362c217d315f288f375fec7289a2606ed6d4f432

SHA256
534e6212f155fba25a38fba248ce7970e69335492d57443d04037b617260dd9b

SHA512
3822b6b426c85a61c4d754de7c33fdfbca45c9e80f2ba52f4c6ac98ad726109e276851af3612ebb39a6cefa4de9589d412e2805a3bacf7845d2aa22189396e4b

Download Submit
C:\Users\Admin\Desktop\cache\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Desktop\cache\GrShaderCache\index

Filesize
256KB

MD5
efb8de7c3232528150c7b3d169ee6287

SHA1
f1dc37470cc4e1ec3ae22bccf8ca1da9d84f1cc6

SHA256
d43624f360f6e6978ae2258f7a61464775c0a3648d9f9e801a7ba97f6124da98

SHA512
591ec00ae785bafd8d14c2150591916f7603cb3bd7e61143cc2b225a7692b1cffa4facc5bb625867bbc15b83cf5a5fd585576247ae1462ebdcff0e1079ccfe9f

Download Submit
C:\Users\Admin\Desktop\cache\GraphiteDawnCache\index

Filesize
256KB

MD5
c8c0af4af08879ddb358ec8841f70c29

SHA1
ca86706adf57c63351c8fcfebac9a0c92728d124

SHA256
c4f645bf8cdb2897db4a6b510612ce8843a955d0948e574935817b271660f485

SHA512
5f0a621a0e13501f31da5bb0c2a2bf63d6830667d16544fd0ff0a9210788ee9d00c39f6741ec9bac41b0d8c0083a67788c5f7ba5422e5df7150826b8b2eb812e

Download Submit
C:\Users\Admin\Desktop\cache\LOG

Filesize
181B

MD5
8bf0df53484e985d36fe797580e2a473

SHA1
093b1ab785a7fbc6467875387ecbf8de50b5db5b

SHA256
2c1bac4e1bc3ee6d508798ee6ddbcc8664b225620ac991ab1cde51297c5b6629

SHA512
fec33e20f432bdc3057e7944e6a7bdb1b3d6f607c6aa9b169320113374657ea913279ef9fbb21b55941f0f9f798273ce2be91f139827096b9e122c795564aba2

Download Submit
C:\Users\Admin\Desktop\cache\LocalPrefs.json

Filesize
643B

MD5
b41970e01097b5353fe98f244c508bb2

SHA1
d9a822dde5048bffa692b49111f84f3d310fd2af

SHA256
085d112f790e51c298197c62d8a8956722c65220672bbd067a62ecf0cd57935b

SHA512
9bcf52d32d5fb624266bf0389d01ce73c88a2b58b0516165422d29d4595c7710b6e1201d08a1501f2f15ba772d4b17711f0da0f2765765a34c38f985211d1bd9

Download Submit
C:\Users\Admin\Desktop\cache\LocalPrefs.json~RFe5a76b8.TMP

Filesize
434B

MD5
2bc727f808af0e447205fe36d850038b

SHA1
1518263ae543271596fe755ac7e805aee8a58da7

SHA256
99ef670cfa5ab28a58a15a87b6abfbeee706a34d45ae31acfe89599779b2ba4a

SHA512
e7715456c73eef833a9e9fffed7d5f8d9986fcdaaf45f49639ddc4707ca5db233f009b3ca829060797247991917b10ba60f0175b5e01d28bef78078412563a11

Download Submit
C:\Users\Admin\Desktop\cache\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Desktop\cache\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\Desktop\cache\ShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\Desktop\cache\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\Desktop\cache\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\Desktop\cache\ShaderCache\index

Filesize
256KB

MD5
545f702df3fe931659fd7c9ad4b72967

SHA1
d83161f3708818fed8372901b223842b92cd4863

SHA256
108944d708113d4a2baab0e8c2d97f850f1d607b3137edabc56a77b76172ef67

SHA512
c5d626a08c294d74a565de33579f1ffb65f55146f44c1664a9e6061eef9594b3151e33884e2ff1c78601b181d2b307838b92985d7c1d66a63b96c5fee4db21cf

Download Submit
C:\Users\Admin\Desktop\cache\Visited Links

Filesize
128KB

MD5
e3dcf8f5f0199380c69dc39e624f9f5d

SHA1
26403285a0b338c3eb94bec6275f387d882665b0

SHA256
aa4357d642b704ec7727c5cf3ce2564724dad7729d2fb63603e1c5885a8adf25

SHA512
6818c0bc462ce660eecb733d180f2bab351d3dc6e971d87c73744f5885ca05bc15ef5e74bad0f01c7ccb1acc9e6f267cb905538f8b143b075cf5922532f72307

Download Submit
C:\Users\Admin\Desktop\cache\first_party_sets.db

Filesize
48KB

MD5
86c13ea2aab6558072cbe13e50bf6e43

SHA1
5eb1664e71e3c2f0cd95224a63755ad0774559e7

SHA256
f6abac0dc76757079d59109da1e48104415c629a5c55eaeefd82f9096cf51ab4

SHA512
900079bdbe9f7a88809294a479ac2f36bc324185c0f7c00069a42018b9c65cfeb3b1a19d81d955e031dbf0e927e7ae55b3a6304e6f8905d71dccc807f22f29af

Download Submit
C:\Users\Admin\Desktop\cache\first_party_sets.db-journal

Filesize
12KB

MD5
5e6a531d70b14ffa7217cd50dd2acc3a

SHA1
473cc34853f29fa0c6797ae72c8789ce34242eba

SHA256
4fdf671d4898a6aeb82fd1e46b6a4521255719462279fba3b7c84e7770a881c0

SHA512
98f387b1813da99dceb2f9cce9cfb1b12a587eab1e6ad903e17ffaa1448b03ba6b0238d1f6e8391c23ec2012c533df732e80c21edf7db0feafe7e58f47b41bb1

Download Submit
C:\Users\Admin\Desktop\debug.log

Filesize
3KB

MD5
a74800a8b3695ce7de3c81ce00b02492

SHA1
cfda3c7139de730c76dd667b8716b23b9f1b87fe

SHA256
c66acf5af558e7cd99b4e27fd3912bec5457cd82fd331d64f47ebd5e041184ae

SHA512
5b25834785ce052398da159ac5db4249accd7df9e8433eb2404e56edf0423456a63f233b85e301790827ca690245869d9bcc867ab16e5811e6079c10617ac2fa

Download Submit
C:\Users\Admin\Desktop\debug.log

Filesize
3KB

MD5
05603bbeb7b0c85f032a926bb3a7fb72

SHA1
b130c0207e4d7a2e1fe9bce92488a588a7854d01

SHA256
bc3fe09defc4d6c39b2588f44285df4fa9158d9352d72fa96d54dab1064c3af1

SHA512
65a54f2eb2d429d255eb12fa887fd5e020c01848a3d2cdbfd6156293f674c428adda39aaa41aea8b122faab9871afae14bf308b023a2a40b4e9173b95ff8314c

Download Submit
C:\Users\Admin\Desktop\debug.log

Filesize
7KB

MD5
dc50b9ff16f8188503dfb86f865708b2

SHA1
bee8d81b337847c22ee11d6f45272dda61dbfef5

SHA256
3606e918e8b62d07ba18ef0452d500a1b4144f58009ec0c24d8f4ce2c8379ba8

SHA512
a9e3193b29bd755a7b8ffc824279273a60cf660da122ae26a2cbd4d6022bd7aebaaede23c777dd4f5005bddbabe350106654baa16c0aba49199823aff7b2e959

Download Submit
C:\Users\Admin\Desktop\debug.log

Filesize
7KB

MD5
8877937732eeaa86f8e9049e850c54fa

SHA1
5081b9ae39cca2bd6f5f0fca253903e541955a07

SHA256
a097413b86c267745d2d501d5e4e9dc0361ed593cc84d25ea461a0a4fa385b17

SHA512
d0eb77c3eb8fc4c75ef6e6226a2b0da4721df1c24574a4e5aee2cbad696d29d2c8cbf849aa45855a7d871d49fb56a1b62701b4928174208cfd3d0bffdcfb184f

Download Submit
C:\Users\Admin\Desktop\debug.log

Filesize
7KB

MD5
78f50bcc6f55ca5fa00f3cc45fec58c0

SHA1
189ef8cb4999f851dd2fbaabcef04ebebc4d2f8f

SHA256
25027eac8b0515d3874c69e25099bd1965aa2c5f42158172d054162715fd73f6

SHA512
fac9e2fd079361e4724713199ba9ae08583d7bccbeb58024a05dcca84e6213986f6fac2421a8cd295b6e8b3396448b4289f9b9400780ba44b74103ffc26b96c7

Download Submit
memory/1348-473-0x0000023377940000-0x0000023377978000-memory.dmp

Filesize
224KB

Download
memory/1348-301-0x000002335C130000-0x000002335D27C000-memory.dmp

Filesize
17.3MB

Download
memory/1348-326-0x00000233776F0000-0x00000233776FA000-memory.dmp

Filesize
40KB

Download
memory/1348-309-0x0000023377740000-0x000002337778A000-memory.dmp

Filesize
296KB

Download
memory/1348-325-0x0000023377710000-0x0000023377722000-memory.dmp

Filesize
72KB

Download
memory/1348-444-0x0000023377AB0000-0x0000023377B62000-memory.dmp

Filesize
712KB

Download
memory/1348-478-0x0000023300000000-0x0000023301000000-memory.dmp

Filesize
16.0MB

Download
memory/1348-308-0x0000023377BF0000-0x0000023377DB1000-memory.dmp

Filesize
1.8MB

Download
memory/1348-307-0x000002335D660000-0x000002335D66A000-memory.dmp

Filesize
40KB

Download
memory/1348-474-0x0000023377790000-0x000002337779E000-memory.dmp

Filesize
56KB

Download
memory/1348-306-0x000002335D650000-0x000002335D65A000-memory.dmp

Filesize
40KB

Download
memory/1348-472-0x0000023377730000-0x0000023377740000-memory.dmp

Filesize
64KB

Download
memory/1348-470-0x0000023377700000-0x0000023377708000-memory.dmp

Filesize
32KB

Download
memory/1348-447-0x00000233778D0000-0x00000233778F2000-memory.dmp

Filesize
136KB

Download
memory/1348-305-0x000002335D6C0000-0x000002335D6DC000-memory.dmp

Filesize
112KB

Download
memory/1348-304-0x000002335D6A0000-0x000002335D6B4000-memory.dmp

Filesize
80KB

Download
memory/1348-303-0x00000233779C0000-0x0000023377AA6000-memory.dmp

Filesize
920KB

Download
memory/1348-302-0x000002335D670000-0x000002335D694000-memory.dmp

Filesize
144KB

Download
memory/3104-527-0x0000021DD73D0000-0x0000021DD83D0000-memory.dmp

Filesize
16.0MB

Download
memory/3188-479-0x000001CEB8AB0000-0x000001CEB9AB0000-memory.dmp

Filesize
16.0MB

Download
memory/3240-526-0x00000294F12E0000-0x00000294F22E0000-memory.dmp

Filesize
16.0MB

Download
memory/3240-492-0x00000294F0A70000-0x00000294F0B8E000-memory.dmp

Filesize
1.1MB

Download
memory/3496-316-0x00000168DC830000-0x00000168DC94E000-memory.dmp

Filesize
1.1MB

Download
memory/3496-313-0x00000168C23D0000-0x00000168C23D6000-memory.dmp

Filesize
24KB

Download
memory/3496-480-0x00000168DC950000-0x00000168DD950000-memory.dmp

Filesize
16.0MB

Download
memory/4296-484-0x000001BC7C020000-0x000001BC7C1E1000-memory.dmp

Filesize
1.8MB

Download
memory/4296-525-0x000001BC00000000-0x000001BC01000000-memory.dmp

Filesize
16.0MB

Download
memory/4404-587-0x000001C2CD5A0000-0x000001C2CE5A0000-memory.dmp

Filesize
16.0MB

Download