Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 16:07
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
allows-welfare.gl.at.ply.gg:49180
-
Install_directory
%Temp%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023b90-86.dat family_xworm behavioral1/memory/3052-91-0x0000000000290000-0x00000000002AA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 844 powershell.exe 3624 powershell.exe 1724 powershell.exe 2452 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation System32.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk System32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk System32.exe -
Executes dropped EXE 4 IoCs
pid Process 3052 System32.exe 1788 CeleryLauncher.exe 3424 System32.exe 4792 CeleryLauncher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 raw.githubusercontent.com 9 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CleryLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CleryLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 msedge.exe 2512 msedge.exe 4928 msedge.exe 4928 msedge.exe 4776 identity_helper.exe 4776 identity_helper.exe 4968 msedge.exe 4968 msedge.exe 844 powershell.exe 844 powershell.exe 844 powershell.exe 3624 powershell.exe 3624 powershell.exe 3624 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 3052 System32.exe 3052 System32.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe 2540 CeleryInject.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3052 System32.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 3052 System32.exe Token: SeDebugPrivilege 3424 System32.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 System32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 1404 4928 msedge.exe 83 PID 4928 wrote to memory of 1404 4928 msedge.exe 83 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 3144 4928 msedge.exe 84 PID 4928 wrote to memory of 2512 4928 msedge.exe 85 PID 4928 wrote to memory of 2512 4928 msedge.exe 85 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86 PID 4928 wrote to memory of 2280 4928 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/YaBoyTuesday/CeleryNewest/raw/main/CeleryRelease2.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9542046f8,0x7ff954204708,0x7ff9542047182⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:82⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5768 /prefetch:22⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:12⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:2056
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:820
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2980
-
C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "System32.exe" & start "" "CeleryLauncher.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\System32.exe"System32.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\System32.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CeleryLauncher.exe"CeleryLauncher.exe"3⤵
- Executes dropped EXE
PID:1788
-
-
-
C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "System32.exe" & start "" "CeleryLauncher.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\System32.exe"System32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CeleryLauncher.exe"CeleryLauncher.exe"3⤵
- Executes dropped EXE
PID:4792
-
-
-
C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CeleryInject.exe"C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CeleryInject.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
6KB
MD56ceba876e506791ad63c1535248f1484
SHA1e2d8d21d1f1cf3f78b660731d8ff7fbb53145540
SHA256864f3254a55b5aa200944889093c955a6b2e34a6229adea8b5e87102f2e52b5d
SHA51258e45731d72fbff7193c5d70d06862cd0c0142cdd2e2aae8c92ca0593b0351724246a75985ed5850ad68c423fb3768a94d97be564947a92aa49a69c4bd046f4f
-
Filesize
6KB
MD53b402bcf0837f42e6a6fde463533132e
SHA12ace6f0d920c23d697deca74e048c11b77203ce7
SHA256992e473ce13aa6c3c2f02605a7ce4429df4561c98afe6a8337bab2924cca31d2
SHA512413ec21eb3ff924c9ccc9dceb22fd1f0df4c38ba5aac87144883d36a294a706b253ca2534891939690e29417d435cf9157bb5aafbcf4381afb8f9920d1a682c4
-
Filesize
6KB
MD5d1c7788a6f6201a3e8cbb77af4baa2c1
SHA1d6a9a514a799a7937c0ffd6e9af5084431c4da35
SHA2566068f79afdbcf9e74ed59925ec94058463850f5a9f9dccc453c785224bb9c453
SHA512316a1af2c32ac1c5af0158fec62b1979b657623142607402b9e761da2517abd96c0a0140fa913665b4c9cec741db9e1b3780a0da9b7d3368f5609ffecba74ac7
-
Filesize
6KB
MD54f95e7a16e79f6b1011b0ffccdfc0c76
SHA1ad1b5368c253a74919407f595d4daa091d2c9a42
SHA2564a8a3b9bd4203a8453685f39d5d73cef1ffaecdb37e45d63701dfe0274f03baf
SHA5123f1d819781c934479c30c059fe8f4dbc7fc8907e47c621f12fed9ce95b8c2756e2f6fa7acafacb809e1df8623bcacf41bb1fff40fe0c748210fba8e66c20e2d3
-
Filesize
1KB
MD5500e5bab7cecc1cbbba03003837c58f9
SHA1e08a1b4ee618429ef2a94ab0f7dee4f83d6aa2ec
SHA256edfcc49f17b6df3fb5d184868f2556ab548678c324291c6d1b916377340fa4a5
SHA512ef6204c80deb21d38843c60a509674f3822c74e132d70c99cf0905e5397414177fac0424ec8a0c963d54ab88b7b2ebbf1f9d6ffecfd65ceda98ccac345c48fc7
-
Filesize
371B
MD553b0a91254c4578f48c137fcff3aceef
SHA1fe66f69b32ed39e2ce1fe8589ddc02b153a40a58
SHA256b02b430349ce9c09505e9f97735859b8278902928271336f6943099a8e86b46f
SHA512972765b517631465a71bde5d8f0977d723fb6d520a858b682ac17aea58bafd6ba7b69a78e1ceb6db0fbe2df3a5cb70f547fa59ecb6d77a734784ec2f02977597
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cfb28252b186424e628feea87b6344b3
SHA1a377867c27587001c4e3ec958af1ca54f39eefbc
SHA256f2ef7b013d1af990609cf456b3a27d03c075cda4d0956bf21660b5dcc61594f6
SHA5126baf94b8a77f643a42a4f049bf14c019910880b825e77b7e6790785eb30adf33fd371badc3e413352d09f36abf4da936316efc69bd07ac6c5634ea164b36a612
-
Filesize
11KB
MD5873b956b01b8838f4638c41758e70017
SHA1a2ced548069817a71f745f0d054138b817720ce5
SHA25604406bb498fca3c15de95549c2511d3df4b5d48da9799ec879012a1f384c8ed7
SHA512c13ff413b1ec56421e86d31b1fb108ee18ac3e5ae73ae47339efce5a2ed6c0325b5a14071e9a4ed49f87bde4faa317d2f694a7a2853182e8c43b378783bc5b98
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
152KB
MD5cf488af27bf33e6df70358c57b0482cb
SHA10c4d2d2879f03dc2aec495a3c677f3b0c4503389
SHA25615d7cd393c0486477c48371920ac061b07cd41a418fa6c183746634e1a39157e
SHA512f588f0bee7ab6479a1f29f25efab65aae6b1d52449d29c972e4797616a66d88c4edf97f67341b1347f3a54ba587cd96440960ae49ee4da42e95cd436c6af02db
-
Filesize
76KB
MD59d557d62e1d3b832b89dd6dc94cb81fa
SHA122cb8fc5a445130a84bb7d3c9e717f791bd35e28
SHA256c9980a680037a60448d6a8e7bd683adbc851586cc3a58bae5fe695f08ad7f139
SHA5127e4ee9ec8a217705df7dde54b1f5f4f9878c83e562ad9d72393ff15f2bd5495a3cf9e85a6cc142939e274712a6a780d0c96b7471d58721af81e1343347c64e81
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18.6MB
MD516bbaad88653ff94e2deeacf3800bc1f
SHA1545fc3af43877cf9d0e901791ed9252c8218a07a
SHA25629116b97c992b8720d90c599c04ff7b9c15a46398e484f199d190b656cb29ebc
SHA512dc4af0460f869482628f5e5dc0e75642b7ff83ec3e78dec8d654c05028e9dd7357791a94cbd585007a4b15cddeb3743c35cc48888a6b4ab9f284a78634e60a9a