74ad0baac9e60a9c3d59665fca744a440290de704218caad1640e8de43c6b031

Analysis

max time kernel
363s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

message (1).txt
Size

191KB
MD5

3c3da659310c15711a6870372170f514
SHA1

5a6f63714c7b6cde81f88c9e6e1dd30548e66d96
SHA256

74ad0baac9e60a9c3d59665fca744a440290de704218caad1640e8de43c6b031
SHA512

c966b653bf21fa0a34ff5a542f8fa6b2b9d86e040c87a22209ce3dee1af014b88537340fbf6c677228a164ee759379bdc511942d18f4e09ab41f8547544ee002
SSDEEP

3072:xNIg3BOa76nps+iRywxwJRJwTpKg3FLfXcPAOPgwm1Qi0whJ:x+uBrlHs/Og2AnPgR1

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 18 IoCs

flow	pid	Process
33	3676	powershell.exe
34	3676	powershell.exe
35	3716	powershell.exe
37	3716	powershell.exe
39	3716	powershell.exe
42	3716	powershell.exe
44	3716	powershell.exe
82	3716	powershell.exe
84	3716	powershell.exe
86	3676	powershell.exe
87	3676	powershell.exe
88	620	powershell.exe
89	620	powershell.exe
91	620	powershell.exe
93	620	powershell.exe
115	2908	powershell.exe
116	2908	powershell.exe
117	2908	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Celery.exe

Executes dropped EXE 4 IoCs

pid	Process
1712	Celery.exe
4180	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4916	main.exe

Loads dropped DLL 25 IoCs

pid	Process
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
1712	Celery.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
83	raw.githubusercontent.com
84	raw.githubusercontent.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4180	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
620	powershell.exe
2908	powershell.exe
3716	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	taskmgr.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
620	powershell.exe
620	powershell.exe
4856	msedge.exe
4856	msedge.exe
3440	msedge.exe
3440	msedge.exe
4176	identity_helper.exe
4176	identity_helper.exe
620	powershell.exe
620	powershell.exe
4180	CefSharp.BrowserSubprocess.exe
4180	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
4532	CefSharp.BrowserSubprocess.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
1712	Celery.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	4180	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeDebugPrivilege	4532	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeShutdownPrivilege	1712	Celery.exe
Token: SeCreatePagefilePrivilege	1712	Celery.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2656	taskmgr.exe
Token: SeSystemProfilePrivilege	2656	taskmgr.exe
Token: SeCreateGlobalPrivilege	2656	taskmgr.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe
2656	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4764	3676	powershell.exe	104
PID 3676 wrote to memory of 4764	3676	powershell.exe	104
PID 4764 wrote to memory of 3440	4764	cmd.exe	106
PID 4764 wrote to memory of 3440	4764	cmd.exe	106
PID 3440 wrote to memory of 724	3440	net.exe	107
PID 3440 wrote to memory of 724	3440	net.exe	107
PID 4764 wrote to memory of 3716	4764	cmd.exe	108
PID 4764 wrote to memory of 3716	4764	cmd.exe	108
PID 3716 wrote to memory of 2180	3716	powershell.exe	109
PID 3716 wrote to memory of 2180	3716	powershell.exe	109
PID 2180 wrote to memory of 4272	2180	csc.exe	110
PID 2180 wrote to memory of 4272	2180	csc.exe	110
PID 3676 wrote to memory of 1332	3676	powershell.exe	125
PID 3676 wrote to memory of 1332	3676	powershell.exe	125
PID 1332 wrote to memory of 1452	1332	cmd.exe	127
PID 1332 wrote to memory of 1452	1332	cmd.exe	127
PID 1452 wrote to memory of 1044	1452	net.exe	128
PID 1452 wrote to memory of 1044	1452	net.exe	128
PID 1332 wrote to memory of 620	1332	cmd.exe	129
PID 1332 wrote to memory of 620	1332	cmd.exe	129
PID 620 wrote to memory of 2488	620	powershell.exe	130
PID 620 wrote to memory of 2488	620	powershell.exe	130
PID 2488 wrote to memory of 2304	2488	csc.exe	131
PID 2488 wrote to memory of 2304	2488	csc.exe	131
PID 620 wrote to memory of 3440	620	powershell.exe	132
PID 620 wrote to memory of 3440	620	powershell.exe	132
PID 3440 wrote to memory of 2092	3440	msedge.exe	133
PID 3440 wrote to memory of 2092	3440	msedge.exe	133
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134
PID 3440 wrote to memory of 5104	3440	msedge.exe	134

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\message (1).txt"
1⤵
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\betterCeleryRun.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "irm bcelery.github.io/src/gui.ps1 | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qyeeivgb\qyeeivgb.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D54.tmp" "c:\Users\Admin\AppData\Local\Temp\qyeeivgb\CSC1780A52AAD5540C1B0E531EE71E7A0A8.TMP"
        5⤵
        
        PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\betterCeleryRun.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "irm bcelery.github.io/src/gui.ps1 | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4d53t3rf\4d53t3rf.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8181.tmp" "c:\Users\Admin\AppData\Local\Temp\4d53t3rf\CSCF047D075D9F34F0ABAFD6AF6452C2B73.TMP"
        5⤵
        
        PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://celery.zip/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb90b46f8,0x7ffbb90b4708,0x7ffbb90b4718
        5⤵
        
        PID:2092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
        5⤵
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:4188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
        5⤵
        
        PID:724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
        5⤵
        
        PID:404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,5739135305339000955,11692175208617253599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
  - - C:\Users\Admin\AppData\Local\Celery\Celery.exe
      "C:\Users\Admin\AppData\Local\Celery\Celery.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
    - - C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Celery\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Celery\debug.log" --field-trial-handle=2036,i,4297119631823378598,10540470704363006467,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2012 /prefetch:2 --host-process-id=1712
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Celery\cache" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Celery\debug.log" --field-trial-handle=2440,i,4297119631823378598,10540470704363006467,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:3 --host-process-id=1712
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Network Service Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Users\Admin\AppData\Local\Celery\bin\lsp\main.exe
        
        "C:\Users\Admin\AppData\Local\Celery\bin\lsp\main.exe"
        5⤵
        Executes dropped EXE
        
        PID:4916
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "start %localappdata%/Celery"
      4⤵
      Modifies registry class
      PID:264
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "start %appdata%/Celery/Themes"
      4⤵
      Modifies registry class
      PID:1748
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "start %localappdata%/Celery/scripts"
      4⤵
      Modifies registry class
      PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\betterCeleryRun.cmd" "
  2⤵
  PID:1096
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:2360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "irm bcelery.github.io/src/gui.ps1 | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e112jn1x\e112jn1x.cmdline"
      4⤵
      PID:5056
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDB5.tmp" "c:\Users\Admin\AppData\Local\Temp\e112jn1x\CSC340C8FAAF3DA439D8667C13AB6D73968.TMP"
        5⤵
        
        PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.Core.dll

Filesize
1.1MB

MD5
5b745ee879e65f7a47c56265881f16e7

SHA1
e6a90771b8f1bf53beeb7c9e4268756ff07a088d

SHA256
c8944a83938c39fbea72700485db8a61ab82e1c51d8e16d5dd48de4e36a6f264

SHA512
3b4bef98a1f751c3a747de0eb050828bf8474efa68aa7a26d0369f1c3b42829eaab221cb612c005a54ed5b84f19180700e51aab39adb84fe7246d9e91e6899c8

Download Submit
C:\Users\Admin\AppData\Local\Celery\CefSharp.BrowserSubprocess.exe

Filesize
6KB

MD5
bcd22b9511d5383e23d875e2cf3c339e

SHA1
0ef86afaef536cc4b046ea2866414bb193d60702

SHA256
95dd31f11ac1317559b6eee0479739930d503a4938283f5d831ac8add92ad792

SHA512
c4e6821858720895c0bfae797097e3307bb7ea8f03dde4fefc16cce03b2a50fecfe8ed5c3225136fcd9d74ee0ed8673f795b410cd14890d22df58c1f03b693c6

Download Submit
C:\Users\Admin\AppData\Local\Celery\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
21719cf581f5cc98b21c748498f1cbfe

SHA1
aaada7a02fadcbd25b836c924e936ce7d7ee0c2a

SHA256
6fd2685e02ef7c92ba5080faadb44f22fee528713f5101e2841c1230cba691e6

SHA512
6394ddabc7ad03895ecddb9943371935e0a2320e933b380a563eaf03d1a039c7180aee763834170c85485416b1af38b55c1dafff7311b25513369b01dce22598

Download Submit
C:\Users\Admin\AppData\Local\Celery\CefSharp.Core.dll

Filesize
897KB

MD5
16f8a4945f5bdd5c1c6c73541e1ebec3

SHA1
4342762c43f54c4caafaae40f933599a9bb93cb5

SHA256
636f8f865f23f2d47b73f3c16622e10b46437bbf7c89b0a2f70bae6129ab046a

SHA512
04115c425c3015ee4355cde2a6e5e28ec24745ea77761a40c0986b54dc14bc67cb142986988d79df87e75ea54d21ded9384842e01cf0714b84f7378e6a13400d

Download Submit
C:\Users\Admin\AppData\Local\Celery\CefSharp.Wpf.dll

Filesize
114KB

MD5
36946182df277e84a313c3811adac855

SHA1
bcd21305861e22878271e37604b7b033ec347eb3

SHA256
8507a4662220eca49d7d511183be801cd394f13dc0e9898c55361020fe9a4720

SHA512
80b1e947b1940dccfe5be8a1ba1e8c1d9eacb122d73724a21233164f5b318fa57c249256f621f0f9c1e6a9e4c902eec58827bb899e20f2990f4ade1d685f1abd

Download Submit
C:\Users\Admin\AppData\Local\Celery\CefSharp.dll

Filesize
272KB

MD5
715c534060757613f0286e1012e0c34a

SHA1
8bf44c4d87b24589c6f08846173015407170b75d

SHA256
f7ad2bbbeb43f166bbbf986bdb2b08c462603c240c605f1c6a7749c643dff3fe

SHA512
fcaec0c107a8703a8263ce5ccc64c2f5bfc01628756b2319fde21b0842652fbeee04c9f8f6d93f7200412d9bd9fad01494bc902501fb92e7d6b319f8d9db78d7

Download Submit
C:\Users\Admin\AppData\Local\Celery\Celery.exe

Filesize
17.3MB

MD5
158d9c2423f3c46245cdbba75ce6961f

SHA1
7ab0ca87229bd70195417b6448e77c653a1ea430

SHA256
c33cc390f616dc93c8836187ed4de4f2af0974726787269c846323cae843b2a1

SHA512
bdaff0542a818d3a31995341debffc494dc3109a9a1bc29dd91da4ab3590d2dcc6aaeee10de4999cabdcc2f18ed0134aaab9355b83b4b24dc3fc7192a0fa5ae1

Download Submit
C:\Users\Admin\AppData\Local\Celery\Celery.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\Local\Celery\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Celery\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
26KB

MD5
ff34978b62d5e0be84a895d9c30f99ae

SHA1
74dc07a8cccee0ca3bf5cf64320230ca1a37ad85

SHA256
80678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc

SHA512
7f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28

Download Submit
C:\Users\Admin\AppData\Local\Celery\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
62KB

MD5
00053ff3b5744853b9ebf90af4fdd816

SHA1
13c0a343f38b1bb21a3d90146ed92736a8166fe6

SHA256
c5a119ec89471194b505140fba13001fa05f81c4b4725b80bb63ccb4e1408c1e

SHA512
c99fcda5165f8dc7984fb97ce45d00f8b00ca9813b8c591ad86691bd65104bbb86c36b49bb6c638f3b1e9b2642ec9ac830003e894df338acfca2d11296ff9da4

Download Submit
C:\Users\Admin\AppData\Local\Celery\Microsoft.Extensions.DependencyInjection.dll

Filesize
94KB

MD5
3452007cab829c2ba196f72b261f7dec

SHA1
c5e7cfd490839f2b34252bd26020d7f8961b221b

SHA256
18b39777ee45220217459641991ab700bc9253acaf0940cf6e017e9392b43698

SHA512
a8b83a8582dfee144925a821d09c40f5730f6337b29446c3bce8b225659bdc57a48778081fa866c092d59b4108c1d992e33f9543ae2b4c7554b8ff27b5332cdf

Download Submit
C:\Users\Admin\AppData\Local\Celery\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Users\Admin\AppData\Local\Celery\bin\lsp\main.exe

Filesize
36.1MB

MD5
43ad962c7acda3e30300e7d0f1add3fb

SHA1
362c217d315f288f375fec7289a2606ed6d4f432

SHA256
534e6212f155fba25a38fba248ce7970e69335492d57443d04037b617260dd9b

SHA512
3822b6b426c85a61c4d754de7c33fdfbca45c9e80f2ba52f4c6ac98ad726109e276851af3612ebb39a6cefa4de9589d412e2805a3bacf7845d2aa22189396e4b

Download Submit
C:\Users\Admin\AppData\Local\Celery\chrome_100_percent.pak

Filesize
682KB

MD5
d3e06f624bf92e9d8aecb16da9731c52

SHA1
565bdcbfcbfcd206561080c2000d93470417d142

SHA256
4ee67f0b0b9ad2898e0d70ddfad3541fbd37520686f9e827a845d1930a590362

SHA512
497126af59961054155fbb8c3789d6278a1f5426000342f25f54115429ff024e629783f50f0c5350500007854712b07f7d8174ecfe60d59c4fdd5f3d72dac262

Download Submit
C:\Users\Admin\AppData\Local\Celery\chrome_200_percent.pak

Filesize
1.1MB

MD5
34572fb491298ed95ad592351fb1f172

SHA1
4590080451f11ff4796d0774de3ff638410abdba

SHA256
c4363d6ecfa5770b021ce72cc7d2ab9be56b0ce88075ec051ad1de99b736dbbd

SHA512
e0e7deccb26b7df78d6193750bfb9aad575b807424a0a5d124bd944e568c1bb1ae29f584246f753d619081a48d2897815145028ffedd9488e9a8f102cdc67e2f

Download Submit
C:\Users\Admin\AppData\Local\Celery\chrome_elf.dll

Filesize
1.3MB

MD5
5b3802f150c42ad6d24674ae78f9d3e8

SHA1
428139f0a862128e55e5231798f7c8e2df34a92a

SHA256
9f455612e32e5da431c7636773e34bd08dae79403cc8cf5b782b0ea4f1955799

SHA512
07afbd49e17d67957c65929ca7bdfe03b33b299c66c48aa738262da480ed945712d891be83d35bd42833d5465ef60e09c7a5956df0a369ec92d3bc2d25a09007

Download Submit
C:\Users\Admin\AppData\Local\Celery\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Celery\libGLESv2.dll

Filesize
7.3MB

MD5
c9b090ed25f61aa311a6d03fd8839433

SHA1
f1567aa2fb1fcad3cde1e181a62f5e2bccadaf68

SHA256
c7a7a59cf3c26d6c8b2505996065d49f339764f5718e6f53a9ecec8686c489db

SHA512
21cd4618b6ad011afa78abe8fbc42ecafbb992322912c4a77e5f193a04aeb97a5655dedfc513e1a7667db55b92a322e3d9a6dfe7e845af25f37a6666a1798470

Download Submit
C:\Users\Admin\AppData\Local\Celery\libegl.dll

Filesize
459KB

MD5
ce2c45983f63a6cf0cddce68778124e9

SHA1
6553dc5b4bc68dcb1e9628a718be9c5b481a6677

SHA256
9ca8840bbb5f587848e66d08d36cb5eb30c1c448ef49ce504961ff4ac810c605

SHA512
df81a3356168e78d9810f5e87ca86eb4f56e5f0cb6afdb13408b50778a2d8b18c70b02c6348cd7ba59609ab2956d28eed324706eb65d04bce1159a2d8f1e0e8f

Download Submit
C:\Users\Admin\AppData\Local\Celery\locales\en-US.pak

Filesize
455KB

MD5
a8d060aa17ed42b6b2c4a9fcbab8a7e1

SHA1
16e4e544eca024f8b5a70b4f3ca339a7a0a51ebf

SHA256
55e4ae861aa1cacb09db070a4be0e9dd9a24d2d45e4168824364307120a906b2

SHA512
8f3820e3c5aca560344a253d068936bdb797d07eb22711020d287a949c97d7a98879ff9ff5a4fb2f3fe804bf502300b6f4c92918d973bef351d587483bc43723

Download Submit
C:\Users\Admin\AppData\Local\Celery\resources.pak

Filesize
7.9MB

MD5
5955471c84eaad269c23f8a22b71f781

SHA1
d625fb0b12d132fec9f91cbc7db54887589f202e

SHA256
b8ae091d95e927a75a9b0a367a8ee9bc5fae0a10427eb77cb3c3460097cd4f5e

SHA512
537fa6f414c7759e70ad6e70350571221ba69afaf89427c7450acf117e58a97fc7beb2a1758cf05b2ef76a14ad50e762f01b1c65d1ccbc63e4d714af445988df

Download Submit
C:\Users\Admin\AppData\Local\Celery\version.txt

Filesize
214B

MD5
0bd04eb6c3f603659b486eae9dcef899

SHA1
454ec41c0dc0efbc5eb80e12911e11fb26f8716d

SHA256
ab5073fa67f8e247b713f27682884877908816e987b14ea15f5a54f2d6641d69

SHA512
4ca3a3791ed1d0741216949e11d35b1092f191b1031f08ad630e37112a539338398eb99af8fb5e34a6d157ffd59ce802da6aab26d968bfb822d3737d94d158d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6258d2229315e2d9a58a80d82b0826b4

SHA1
5e2517a4d153df49c7ac744079bc1f37fc57ac49

SHA256
fefe4ec56148b3576625bf6ab1df5f0af5a7f701cbb7dd37efea350b112ead3a

SHA512
d26949d796d33ec564e07669b66b922a01f93c1630c149ae954175365516cbba747653474a01471394b88a7e64a19d33ad967c6c75b5e1b9fe3176f7c548fa5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c58bf5080a7b8041ef03d46f03ce42f8

SHA1
c9447b91a3f50ee85a03f92c82b34fa03139a7dc

SHA256
4ae0bd5a5489f14ec2e5a174a142915ca93fa31ddf495986ecc8fd9553017a6a

SHA512
c2f4a407eb3c7e62ec175c3457c0a4ba659138701389ab55ae9ca9cbedecdb529453878827ab78ca3f96c0d9e702addf0a7d7239868f0eacf8a780d4ff5645ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fddd90d23d7f98939886160b8dfc982d

SHA1
d8700c5c108c2d1dc6fc11afaf3edeb406cb8f73

SHA256
06cb84a39d8016947533aca5e4705652e3d170d77624f71eac85bb4eac2f292e

SHA512
5d67ff63b9f81d818e6d83c4ab7eb9be82924e3a7c166f394f93a13de518115cab7623e12e59fa0644638cc12eca858711c0a7b1acf9a381375042a50623f7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2be2e533372b3b17ffb8456cc0b8e305

SHA1
ccb03618c8a64db39171654059b16efe2d4d2ad8

SHA256
24fe7247dd2ac5b5d9e1962e99d5469d86f4b1b45d861b054953e91b8e339c9f

SHA512
c434698388710956a0571901e49ec580d4ba54aa4575e4fb5eef65e1a7eed826f88d08310b0e52410f45a051622062e3d0170a4d45923a4d77b6bfc903eb343f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb03d38c880cbefeed7f54d7ff39351f

SHA1
feb14420b5f19c388d3afa7b30521fc5b524748e

SHA256
291e8d2fb41154cb4ddeada0811d05cd62d8c1064257918e3f608f05a8138ed3

SHA512
368f8d4d7da451f51549b5797d285bbb78a2f659f160642d287a5c83c25928dba3d09143a1515eca8c5fcf004cc78dafb6b53d8f4580a433f97c92ff3658192b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d53t3rf\4d53t3rf.dll

Filesize
3KB

MD5
d7a77c912d1c50a7304487d5354c7012

SHA1
e88d1aa8beb0908f880318d121e6ed60fa16462d

SHA256
243eb5527dfecc19efc748f1eaafed9c4861ebe098821281bc0f3ba060bc887a

SHA512
04996923cc33f1ab2fd5dab89e911f7fd6d808cf8f7d5673f09fb3aefeec73b17a9014fec9b86e70e7187be7747d8814b270e6b6111ede76d71f45e53602631a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D54.tmp

Filesize
1KB

MD5
4f606633743174d4f7f1cdaacb3c1722

SHA1
67fa3b9a58a7c76df30c01949fb4faf3c75170e6

SHA256
edce16e8c9f1e0eaff8874b430627232ccb7fd98a449b9f1b6b02e50e44d4819

SHA512
3f78f25234662896d1f39793edd016ac7f01e3f6ce9db98b47a6378f02dc71dd24aa6a32424d1d3edf19019fd24e088aaf536526f1762615e05f94f1144aa78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8181.tmp

Filesize
1KB

MD5
2ae062521a64fcbedec3a90895b98794

SHA1
05ff5219bd815b4cf7ff7643503efc9b59f2f767

SHA256
09998c214b0ca0e7745f524189afde4c32a165b27b2cd15cffeaba4c4a933e68

SHA512
4513ea221a3d46f76730732fcd28ab077ae19cb9a0dfda387ff1722c6210db458895456fe768b036c07c123f8e86f11cce0b149ab14d2c046bb773f333b5f533

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogxivzty.lxf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyeeivgb\qyeeivgb.dll

Filesize
3KB

MD5
0048c73e49882baee08ea02508600b14

SHA1
3e3e04666cb0c5f1caba730fab4e2e0cb0f4638b

SHA256
19d0240c6237bc11a2a6a50fbb5cc11e89c1239c31ac6ba0b5139278db2854fe

SHA512
616097d4ac3c030f15974a41083fe1729dd3811d4c8bea1072d27bcb07b5847c42e49a8c8a363ae2e8109eeab082d01509adb34de9a3bd258bc996839e5a28b6

Download Submit
C:\Users\Admin\AppData\Roaming\Celery\settings.json

Filesize
116B

MD5
53bd3a85ae0f3c6b08b3c6a6fc58c127

SHA1
686e0e83a7b5279d4efb62b0dd3cd7b9a94195cf

SHA256
69b2c2fa52825ccd32572f2a9083388c8a6d799a6ac72c788fb7a63c1a18387a

SHA512
3c2fdfc69977de09b71cc7dd35e3a63c269bccbbc5e065856336ec3f94fa134f57d763a72069ed98e0bea585b590f45922ae8513478e0c711d8429294e56091a

Download Submit
C:\Users\Admin\Desktop\bCelery.lnk

Filesize
1KB

MD5
b931852dc0c53020f466f28eaee9c697

SHA1
ea40269d052da252e7bb66de7230ae1f06251fb3

SHA256
a391c03f966991a6e4ae8c947e1f149682415267b4eab027d0427e0f18219a88

SHA512
f113167c83a885a0c156d8bfa1e01962d671164d6af42ae5db74a45811e7fe586076a76bacd62a6f6c68764d38babee591d54ca40713f05342e29c37e302dc2b

Download Submit
C:\Users\Admin\Documents\betterCeleryRun.cmd

Filesize
272B

MD5
f0dc748048d93bfcffeade9e70839e47

SHA1
f499891181bb8f8ce9f11f4ea531e4406b791d53

SHA256
30f45fd0cf8ad465a14fef1f26049a77dd7dafc6073478c921318a0b345ae84c

SHA512
c3bc0c87227b7429e76ed6c308918c2de339064bd87d790a717971b25e1165c01767e57c7f24edb17f76196b13315a98056a59c631b93000c30ad4d73901fb1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4d53t3rf\4d53t3rf.cmdline

Filesize
369B

MD5
4decb8867acf93f1202d1cac51c52990

SHA1
05604e4f8fe49ebe21fc70d50991a732e98ab2c0

SHA256
b92aa99f2b7e27dad8141e9530280892094f5edb7a1851077ab0fb9e75cc0245

SHA512
e07d30dedd2a8c3418decb249121f16f8b87674e73e3994fb5fcccf3fdc8c0d6719bb552258d661cc23a1e0cf2b6fcb78aa0fbc186c3eb0317b627a81d119b85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4d53t3rf\CSCF047D075D9F34F0ABAFD6AF6452C2B73.TMP

Filesize
652B

MD5
2f63563048bbe2f711a032c0ee1d38b9

SHA1
8540148f2a47a4c88c1b1c192af0935cfb3f9758

SHA256
753905fa41b66299dc23d3c65c5128452c236d4e72d3852ab830b5535144e446

SHA512
efb1b9b59c68e234a920249ed056dbab7c557c61a10b0a128bbcd0638709d5688e55b18cfa0ae7e00a8b7157ca6a6e307b5c5825f076d285f783da5544bcd31d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyeeivgb\CSC1780A52AAD5540C1B0E531EE71E7A0A8.TMP

Filesize
652B

MD5
d0ef23204d8e4dc89c0e882275ba5366

SHA1
afca6b44cb44f6f1cf78a4b3ae9562b8900788d1

SHA256
1e3b9f8611cc256e4cdecacececcb8d256986506a0a47fed64e106628a43dc7f

SHA512
730074727a804cbe87d067910e62e512a692775d004717b276976cb8616171775dee9ee65a0b4e2665d240f5ade32d284c5d2b98524078cdb7b6af97c4e4e7d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyeeivgb\qyeeivgb.0.cs

Filesize
1KB

MD5
b983dc31d9cc03fa0a806d03d41a442a

SHA1
1119fb39e7e468826237c9ca89b3eb837755360b

SHA256
af8f55a45d929c65f9ec3900760c74c24020ee7f61c92ca0b750ee374bb8b232

SHA512
c2166540f72fc70dd2189c29260a0ad66628fba431546455317fd6cad50b86a0731756779e7ccac2197b90a348859f3f239bf70271bbcb279dffc2afadec7d18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qyeeivgb\qyeeivgb.cmdline

Filesize
369B

MD5
26fcfbb17dea143ff6fab10de3f2594a

SHA1
b14a71a95a4af0295a78e7a1a029df59d6018e24

SHA256
2181cd989cd09357313fc402c4d003ace3d9680bfdd1376e73ecdf79d625d464

SHA512
01dd5dd7413c2cfc125206b71cd2ddba7e5204039fc707a31b40a1332be97fc9d735d82983c950b5c128a41dcbacc3129ed8a880d4214a97a0c8042047602e49

Download Submit
memory/620-347-0x00000196E0BB0000-0x00000196E0BB8000-memory.dmp

Filesize
32KB

Download
memory/1712-664-0x0000021B729F0000-0x0000021B729FE000-memory.dmp

Filesize
56KB

Download
memory/1712-475-0x0000021B59F90000-0x0000021B59F9A000-memory.dmp

Filesize
40KB

Download
memory/1712-473-0x0000021B5A010000-0x0000021B5A02C000-memory.dmp

Filesize
112KB

Download
memory/1712-467-0x0000021B59FC0000-0x0000021B59FE4000-memory.dmp

Filesize
144KB

Download
memory/1712-477-0x0000021B59FA0000-0x0000021B59FAA000-memory.dmp

Filesize
40KB

Download
memory/1712-481-0x0000021B72B20000-0x0000021B72CE1000-memory.dmp

Filesize
1.8MB

Download
memory/1712-469-0x0000021B72A30000-0x0000021B72B16000-memory.dmp

Filesize
920KB

Download
memory/1712-663-0x0000021B7FFA0000-0x0000021B7FFD8000-memory.dmp

Filesize
224KB

Download
memory/1712-465-0x0000021B572C0000-0x0000021B5840E000-memory.dmp

Filesize
17.3MB

Download
memory/1712-471-0x0000021B59FF0000-0x0000021B5A004000-memory.dmp

Filesize
80KB

Download
memory/1712-489-0x0000021B7FF10000-0x0000021B7FF5A000-memory.dmp

Filesize
296KB

Download
memory/1712-662-0x0000021B729E0000-0x0000021B729F0000-memory.dmp

Filesize
64KB

Download
memory/1712-661-0x0000021B729D0000-0x0000021B729D8000-memory.dmp

Filesize
32KB

Download
memory/1712-639-0x0000021B80020000-0x0000021B800D2000-memory.dmp

Filesize
712KB

Download
memory/1712-665-0x0000021B72D00000-0x0000021B73D00000-memory.dmp

Filesize
16.0MB

Download
memory/2656-709-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-703-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-697-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-706-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-707-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-699-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-708-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-704-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-705-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2656-698-0x00000219CDCF0000-0x00000219CDCF1000-memory.dmp

Filesize
4KB

Download
memory/2908-691-0x000001B066D50000-0x000001B066D58000-memory.dmp

Filesize
32KB

Download
memory/3676-3-0x0000029132070000-0x0000029132092000-memory.dmp

Filesize
136KB

Download
memory/3676-16-0x0000029132600000-0x0000029132676000-memory.dmp

Filesize
472KB

Download
memory/3676-19-0x0000029132850000-0x0000029132A12000-memory.dmp

Filesize
1.8MB

Download
memory/3676-52-0x00007FFBA7CE0000-0x00007FFBA87A1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-15-0x00007FFBA7CE0000-0x00007FFBA87A1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-2-0x00007FFBA7CE3000-0x00007FFBA7CE5000-memory.dmp

Filesize
8KB

Download
memory/3676-14-0x0000029132530000-0x0000029132574000-memory.dmp

Filesize
272KB

Download
memory/3676-51-0x00007FFBA7CE3000-0x00007FFBA7CE5000-memory.dmp

Filesize
8KB

Download
memory/3676-696-0x00007FFBA7CE0000-0x00007FFBA87A1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-13-0x00007FFBA7CE0000-0x00007FFBA87A1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-50-0x0000029B70A70000-0x0000029B70F98000-memory.dmp

Filesize
5.2MB

Download
memory/3716-55-0x000002936FD40000-0x000002936FD52000-memory.dmp

Filesize
72KB

Download
memory/3716-56-0x000002936F5C0000-0x000002936F5CA000-memory.dmp

Filesize
40KB

Download
memory/3716-48-0x00000293702C0000-0x0000029370A66000-memory.dmp

Filesize
7.6MB

Download
memory/3716-46-0x000002936F270000-0x000002936F278000-memory.dmp

Filesize
32KB

Download
memory/4180-670-0x000002B169970000-0x000002B16A970000-memory.dmp

Filesize
16.0MB

Download
memory/4180-503-0x000002B14F420000-0x000002B14F426000-memory.dmp

Filesize
24KB

Download
memory/4180-507-0x000002B169850000-0x000002B16996E000-memory.dmp

Filesize
1.1MB

Download
memory/4532-669-0x0000029F713E0000-0x0000029F723E0000-memory.dmp

Filesize
16.0MB

Download