Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

10/08/2024, 19:38

240810-ycke2ayerf 6

08/08/2024, 16:07

240808-tkm4nszarh 10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 16:07

General

  • Target

    https://github.com/YaBoyTuesday/CeleryNewest/raw/main/CeleryRelease2.zip

Malware Config

Extracted

Family

xworm

C2

allows-welfare.gl.at.ply.gg:49180

Attributes
  • Install_directory

    %Temp%

  • install_file

    System.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/YaBoyTuesday/CeleryNewest/raw/main/CeleryRelease2.zip
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9542046f8,0x7ff954204708,0x7ff954204718
      2⤵
        PID:1404
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        2⤵
          PID:3144
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2512
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
          2⤵
            PID:2280
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
            2⤵
              PID:324
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
              2⤵
                PID:1460
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                2⤵
                  PID:2596
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4776
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
                  2⤵
                    PID:2772
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
                    2⤵
                      PID:4036
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:8
                      2⤵
                        PID:5016
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
                        2⤵
                          PID:3668
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                          2⤵
                            PID:4344
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
                            2⤵
                              PID:2812
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4968
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5768 /prefetch:2
                              2⤵
                                PID:2608
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
                                2⤵
                                  PID:1904
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
                                  2⤵
                                    PID:4104
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
                                    2⤵
                                      PID:1548
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
                                      2⤵
                                        PID:4816
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
                                        2⤵
                                          PID:3832
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7432054350492807167,1276209347359417130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                          2⤵
                                            PID:2056
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1656
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:820
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:2980
                                              • C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe
                                                "C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"
                                                1⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2248
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c start "" "System32.exe" & start "" "CeleryLauncher.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1944
                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System32.exe
                                                    "System32.exe"
                                                    3⤵
                                                    • Checks computer location settings
                                                    • Drops startup file
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3052
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\System32.exe'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:844
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3624
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1724
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2452
                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CeleryLauncher.exe
                                                    "CeleryLauncher.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    PID:1788
                                              • C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe
                                                "C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CleryLauncher.exe"
                                                1⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3392
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c start "" "System32.exe" & start "" "CeleryLauncher.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1256
                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\System32.exe
                                                    "System32.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3424
                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\CeleryLauncher.exe
                                                    "CeleryLauncher.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    PID:4792
                                              • C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CeleryInject.exe
                                                "C:\Users\Admin\Downloads\CeleryRelease2\CeleryRelease2\CeleryInject.exe"
                                                1⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2540

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                9b008261dda31857d68792b46af6dd6d

                                                SHA1

                                                e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

                                                SHA256

                                                9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

                                                SHA512

                                                78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                0446fcdd21b016db1f468971fb82a488

                                                SHA1

                                                726b91562bb75f80981f381e3c69d7d832c87c9d

                                                SHA256

                                                62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

                                                SHA512

                                                1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                261B

                                                MD5

                                                2c2e6472d05e3832905f0ad4a04d21c3

                                                SHA1

                                                007edbf35759af62a5b847ab09055e7d9b86ffcc

                                                SHA256

                                                283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                                SHA512

                                                8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                6ceba876e506791ad63c1535248f1484

                                                SHA1

                                                e2d8d21d1f1cf3f78b660731d8ff7fbb53145540

                                                SHA256

                                                864f3254a55b5aa200944889093c955a6b2e34a6229adea8b5e87102f2e52b5d

                                                SHA512

                                                58e45731d72fbff7193c5d70d06862cd0c0142cdd2e2aae8c92ca0593b0351724246a75985ed5850ad68c423fb3768a94d97be564947a92aa49a69c4bd046f4f

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                3b402bcf0837f42e6a6fde463533132e

                                                SHA1

                                                2ace6f0d920c23d697deca74e048c11b77203ce7

                                                SHA256

                                                992e473ce13aa6c3c2f02605a7ce4429df4561c98afe6a8337bab2924cca31d2

                                                SHA512

                                                413ec21eb3ff924c9ccc9dceb22fd1f0df4c38ba5aac87144883d36a294a706b253ca2534891939690e29417d435cf9157bb5aafbcf4381afb8f9920d1a682c4

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                d1c7788a6f6201a3e8cbb77af4baa2c1

                                                SHA1

                                                d6a9a514a799a7937c0ffd6e9af5084431c4da35

                                                SHA256

                                                6068f79afdbcf9e74ed59925ec94058463850f5a9f9dccc453c785224bb9c453

                                                SHA512

                                                316a1af2c32ac1c5af0158fec62b1979b657623142607402b9e761da2517abd96c0a0140fa913665b4c9cec741db9e1b3780a0da9b7d3368f5609ffecba74ac7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                6KB

                                                MD5

                                                4f95e7a16e79f6b1011b0ffccdfc0c76

                                                SHA1

                                                ad1b5368c253a74919407f595d4daa091d2c9a42

                                                SHA256

                                                4a8a3b9bd4203a8453685f39d5d73cef1ffaecdb37e45d63701dfe0274f03baf

                                                SHA512

                                                3f1d819781c934479c30c059fe8f4dbc7fc8907e47c621f12fed9ce95b8c2756e2f6fa7acafacb809e1df8623bcacf41bb1fff40fe0c748210fba8e66c20e2d3

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                Filesize

                                                1KB

                                                MD5

                                                500e5bab7cecc1cbbba03003837c58f9

                                                SHA1

                                                e08a1b4ee618429ef2a94ab0f7dee4f83d6aa2ec

                                                SHA256

                                                edfcc49f17b6df3fb5d184868f2556ab548678c324291c6d1b916377340fa4a5

                                                SHA512

                                                ef6204c80deb21d38843c60a509674f3822c74e132d70c99cf0905e5397414177fac0424ec8a0c963d54ab88b7b2ebbf1f9d6ffecfd65ceda98ccac345c48fc7

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59be35.TMP

                                                Filesize

                                                371B

                                                MD5

                                                53b0a91254c4578f48c137fcff3aceef

                                                SHA1

                                                fe66f69b32ed39e2ce1fe8589ddc02b153a40a58

                                                SHA256

                                                b02b430349ce9c09505e9f97735859b8278902928271336f6943099a8e86b46f

                                                SHA512

                                                972765b517631465a71bde5d8f0977d723fb6d520a858b682ac17aea58bafd6ba7b69a78e1ceb6db0fbe2df3a5cb70f547fa59ecb6d77a734784ec2f02977597

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                cfb28252b186424e628feea87b6344b3

                                                SHA1

                                                a377867c27587001c4e3ec958af1ca54f39eefbc

                                                SHA256

                                                f2ef7b013d1af990609cf456b3a27d03c075cda4d0956bf21660b5dcc61594f6

                                                SHA512

                                                6baf94b8a77f643a42a4f049bf14c019910880b825e77b7e6790785eb30adf33fd371badc3e413352d09f36abf4da936316efc69bd07ac6c5634ea164b36a612

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                11KB

                                                MD5

                                                873b956b01b8838f4638c41758e70017

                                                SHA1

                                                a2ced548069817a71f745f0d054138b817720ce5

                                                SHA256

                                                04406bb498fca3c15de95549c2511d3df4b5d48da9799ec879012a1f384c8ed7

                                                SHA512

                                                c13ff413b1ec56421e86d31b1fb108ee18ac3e5ae73ae47339efce5a2ed6c0325b5a14071e9a4ed49f87bde4faa317d2f694a7a2853182e8c43b378783bc5b98

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                2e907f77659a6601fcc408274894da2e

                                                SHA1

                                                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                SHA256

                                                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                SHA512

                                                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                22310ad6749d8cc38284aa616efcd100

                                                SHA1

                                                440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                                SHA256

                                                55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                                SHA512

                                                2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                eb1ad317bd25b55b2bbdce8a28a74a94

                                                SHA1

                                                98a3978be4d10d62e7411946474579ee5bdc5ea6

                                                SHA256

                                                9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                                SHA512

                                                d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CeleryLauncher.exe

                                                Filesize

                                                152KB

                                                MD5

                                                cf488af27bf33e6df70358c57b0482cb

                                                SHA1

                                                0c4d2d2879f03dc2aec495a3c677f3b0c4503389

                                                SHA256

                                                15d7cd393c0486477c48371920ac061b07cd41a418fa6c183746634e1a39157e

                                                SHA512

                                                f588f0bee7ab6479a1f29f25efab65aae6b1d52449d29c972e4797616a66d88c4edf97f67341b1347f3a54ba587cd96440960ae49ee4da42e95cd436c6af02db

                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\System32.exe

                                                Filesize

                                                76KB

                                                MD5

                                                9d557d62e1d3b832b89dd6dc94cb81fa

                                                SHA1

                                                22cb8fc5a445130a84bb7d3c9e717f791bd35e28

                                                SHA256

                                                c9980a680037a60448d6a8e7bd683adbc851586cc3a58bae5fe695f08ad7f139

                                                SHA512

                                                7e4ee9ec8a217705df7dde54b1f5f4f9878c83e562ad9d72393ff15f2bd5495a3cf9e85a6cc142939e274712a6a780d0c96b7471d58721af81e1343347c64e81

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcv2mfnb.urr.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\Downloads\Unconfirmed 783573.crdownload

                                                Filesize

                                                18.6MB

                                                MD5

                                                16bbaad88653ff94e2deeacf3800bc1f

                                                SHA1

                                                545fc3af43877cf9d0e901791ed9252c8218a07a

                                                SHA256

                                                29116b97c992b8720d90c599c04ff7b9c15a46398e484f199d190b656cb29ebc

                                                SHA512

                                                dc4af0460f869482628f5e5dc0e75642b7ff83ec3e78dec8d654c05028e9dd7357791a94cbd585007a4b15cddeb3743c35cc48888a6b4ab9f284a78634e60a9a

                                              • memory/844-94-0x000001D424740000-0x000001D424762000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/3052-91-0x0000000000290000-0x00000000002AA000-memory.dmp

                                                Filesize

                                                104KB