Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 16:25
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
Joesnazzy-26854.portmap.host:26854
0e3df0a7-c843-43da-81c8-d9c01f85801a
-
encryption_key
FE31C9B3146C7F6C565D8024D45CF71A2F7A3888
-
install_name
celery.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows defender
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 865471.crdownload family_quasar behavioral1/memory/5500-341-0x0000000000A60000-0x0000000000D84000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
celery installer.execelery.exepid process 5500 celery installer.exe 5676 celery.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 6 IoCs
Processes:
celery installer.execelery.exedescription ioc process File created C:\Windows\System32\SubDir\celery.exe\:SmartScreen:$DATA celery installer.exe File opened for modification C:\Windows\system32\SubDir celery installer.exe File opened for modification C:\Windows\system32\SubDir\celery.exe celery.exe File opened for modification C:\Windows\system32\SubDir celery.exe File created C:\Windows\system32\SubDir\celery.exe celery installer.exe File opened for modification C:\Windows\system32\SubDir\celery.exe celery installer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 865471.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5608 schtasks.exe 5800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2860 msedge.exe 2860 msedge.exe 3588 msedge.exe 3588 msedge.exe 4048 identity_helper.exe 4048 identity_helper.exe 6036 msedge.exe 6036 msedge.exe 116 msedge.exe 116 msedge.exe 116 msedge.exe 116 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
celery installer.execelery.exedescription pid process Token: SeDebugPrivilege 5500 celery installer.exe Token: SeDebugPrivilege 5676 celery.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe 3588 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
celery.exepid process 5676 celery.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3588 wrote to memory of 756 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 756 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 1100 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2860 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2860 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe PID 3588 wrote to memory of 2964 3588 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/astzgotmotion/celery-executor1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff314746f8,0x7fff31474708,0x7fff314747182⤵PID:756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:1100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵PID:2964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:3596
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:3520
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:12⤵PID:3212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:12⤵PID:4896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:1152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3404 /prefetch:82⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:5524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵PID:5692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,12633906771549924003,6205690121039954476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4208 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:964
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5468
-
C:\Users\Admin\Downloads\celery installer.exe"C:\Users\Admin\Downloads\celery installer.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5500 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:5608 -
C:\Windows\system32\SubDir\celery.exe"C:\Windows\system32\SubDir\celery.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d406f3135e11b0a0829109c1090a41dc
SHA1810f00e803c17274f9af074fc6c47849ad6e873e
SHA25691f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA5122b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409
-
Filesize
152B
MD57f37f119665df6beaa925337bbff0e84
SHA1c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA2561073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA5128e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD582b6a2508833379795c75b39db79c3b0
SHA112f08c95df20f87b354ffa3a911b8ea280039f44
SHA25651f90a13fbc73fb964fb0063727805ca3dd36e01600b0866c6447ad0e364814d
SHA5124d16ddcfc2dc654310903350d28c05e257810d052a11677bd9bcb407aaec5ba44d0027040feb252cdb25aaf840dfa8fea2f179365f18722eb11fb131c19b5c90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5ed368b7013ca6355614dfda2f1eda2fc
SHA160eb58e9521e1bdaeaac31b7739d7062b1d7dcff
SHA2560bf1c0200f16dc2ab2120aee5251f56ab7afbed3124c5c770f40c6a9fe390000
SHA5123ffe03d8a6c8f714ee8617a619694cc1213f3b47a95985c662fb88208399612d889b307bf9b698c439c7f0663a5b0f478ecc1fa3428a630d43c5bc3c309c8ed8
-
Filesize
1KB
MD5709e502de8f2ef2d5a5cbea68a356b11
SHA12dfba6f3b8f32bb2f5ed776f19bdca8ff28aa005
SHA256a455d7928b3d4ddf5c3da02b4b4595bd10179120bfd1028d46395e85f15c6b06
SHA512741f767a7bccde1d2eb5e6b8479294a19ce992edcdcb22e4f111f6f7fe88e3cff07ca02c0a1c422e65bc2cffcdc7e79e40e7ac3558e4a6ab0c711e845851a124
-
Filesize
5KB
MD5bbfc84a9e8c061db4123977a9530a25e
SHA17d2d2ee8b6839d8cab6c1dac70c2edcea203f47b
SHA256896eceaab1f26c32cce0a39e0c5acbc006533f231a0bc92e8cd50545f02c9382
SHA51233169debbf41eb9d4e9b768f2e85450d8fa45b7d54f222a433ef597b23a1e451252ededc6b7b22686db78b48519e4793643298acc7af6e4a7dd5e6478122456e
-
Filesize
6KB
MD5861965df372be63275002eb301988467
SHA104586cd66dad94d23b1a7dce52a125127fd29796
SHA2563d3a32b9894985a265e92e35ce7bd88a1175897a6ea4519a2fdf8f4b2630d433
SHA51279c8109768c6cf33c2fb5fb87a3c0c260f239b01fef50e1e62e642a13b4a5064aa12f251ee53a3ea8048e624c67a9c82b8a66db1aa42798928622da30f22b21c
-
Filesize
6KB
MD55099b8b4e7ff13a91e653643dcb055cb
SHA10d9da2875f45dbd12f0b8bd6a3c2ea4ffdead767
SHA2564fddcd188ef1b14d0a1a07b1f0d02cc055b7417ca438b5588e287ab96b8ad6f3
SHA51255aab59b5a551d7746a71b7e0efceefcddb214760e7ca3e40b7506be773b4e44415ff186fa29f108ad1b37581d817d3323f66697075c1dd78c8a6a5860846225
-
Filesize
6KB
MD58327a53bee4426876cb8491e228fdffc
SHA147f41c4a0e24d0a025efe7c0188652e49026d815
SHA2562c4584c12ee99ae31ae0ebd4b2b37fe2ad8f05aa5232f3e0b8cc239f62058fc0
SHA5123c345ec2d213a02bb553329db5ffc18d9d7d04d7ccf7cbd6d778a5727b80ef74527c63b0503a5a4c5327297fe2d6c073da88ceae727ca5a5f8c5ecd78a0333f3
-
Filesize
1KB
MD5b690c6d29fb64793be074e4c28bbedaa
SHA1735f6b286afc27c8d9bd06c5e312ae4b941e78c4
SHA256b152a011a0cdc76dfb0cb5d8eb8281fa8eb6b111fbcad036ac9705c683b29b91
SHA512827aca64bbfb052bb0fe493efa69f82b73f70b7367606de79d6e425d135f23c0bdb2efe08b3d0a7b5d08cf7c6e04303f12e621a876d7ae849e968ef649727065
-
Filesize
1KB
MD57443f338dc6a35bcc49708299afd9f31
SHA1b0ccda899cea1a8037e2c42873576edda0598191
SHA256cccf6c7cda68bc3d55a5ad24cdc88bb4fd1bacf271a94894aeebba8d41cccf21
SHA51237e70ec4c92b9cbfd70ef6af349a7d4eb41f09b4b5c8e5c050e9b7cf4c1e0721a1f816a28e3a0fb1ab2e54c1dca3884b573965c5d5eb7064ec82fc05feda6cd3
-
Filesize
1KB
MD511f23bc76c77a25efbba50db7920e69d
SHA1d0c1c16524e0ce19c34332e45ff91029f0bf78cd
SHA2564765c27262012a1e736ac64a7a974c6d04b4a97f2f016c37702826787cb0e884
SHA512d85189beaad6b9bc0de5e95cfd836335226e2b43006903054d7f6a3f37b22de0a9e687c4771fd87748044a81440740a48f4ed8c137620344a6bdf90fbdde3c14
-
Filesize
1KB
MD53d72ed3965e1c3813863ab3e092aca37
SHA139cc87a99c1ca50064a8526c0aa83d02abf75df6
SHA256e1107815505fc9c2643421606aca08c38e309a98ef61f7e59b4e27f99da809b6
SHA512e23e0981e1b1be185108d59c8d571ebca473fd4b6d2cb583d69ace858d740192566aad74b964df7093468a7333703b20c12e7a23cc9a0d57c953d519d27ce9e4
-
Filesize
1KB
MD54a2e3434b43804139ed722b36d2fcd30
SHA11ce413b0a989c7338d0ee9d8251c290765d5ed52
SHA256c9dceffbefb5e37f095e60828ff5e359debc78aa03d73c000434a91ea233275f
SHA512b2f5f00b577da2a4e739ec432de0d29e4fd0bfe4b9c97f63dce57531236c1cc170f357d48b806a8f4b0fe468b5b312c23add41a3d0db541543b1389d067b83e9
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD54b3c1e65e1883cb192593f1eb446b4d4
SHA158866e6544f5549d6ce89780299de8c52d88ca5b
SHA2561cca86f2241777b34bd72f4bbf850ba4203f9a8e20776779fc81f25a65e2c662
SHA51265797955ed6b0a154dab308629d50e9f8356f47d5392a87ff14a62f070c4722208249bee6591c0e3a136d0a8e706e0ad06515bdd23647d6477465632d653adf0
-
Filesize
11KB
MD5f6b87597c90f74b1dcf2242de0d32eb5
SHA1b4e5b61dc3f147bb7c4797631cc6f861c5d78a25
SHA2567c64652c28c834d480458b1a85a558acf6f5986b8af7bf2cef524f20b83e32c1
SHA512d0351013d258fe5f230172e60c7c49955b304ddbe5884a16ea8113abf42ad38a5f8312941145b05fb0968f545a9b578a57fcf401c7af9db744f65116cd07be71
-
Filesize
11KB
MD57804ae46a7973f08df33135b1b2c211b
SHA1a168ffa4b8b188b691c0acbc37283a8161b0c1f5
SHA2562b80f556bbe5d8805decea261ad4ec18e22bb224a9f04e4402b97326463d7ccb
SHA51238b2488f43d9904991d3c052fbd445c836666a6d043ccdc6d6950f935c236fc44e8323ffdc2aa0ae941e30843f4365174874fefb5074826d41acb05f3c173765
-
Filesize
3.1MB
MD545f959942912fbcd1653b538332c5ec9
SHA17fdcd65b7bd7d5bdbc279e0b4fa6eebb8c36fca1
SHA2566b400e1fc91d48c849aa79f355b641d35658188d668686ad7192333e9b92a1ae
SHA5129072548e7a5e8f92a910c8621ff1a67fba6dcc4aa3c7af82047bdfdb86165d6d3466ed32081ef87816ccc04b6549367ec65fa2d69e8865ef0d42b6befe26f466
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e