60593ced1e78fd4b3fdffcd58bcde989d8e9b031b3ad9132815fdf614e0449d4

Analysis

max time kernel
311s
max time network
313s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12/08/2024, 04:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CeleryInstaller.exe
Size

822KB
MD5

0bd82e264be214414d6dd26bac3e1770
SHA1

5325e64053dcf599a9c5cedec532418716f9d357
SHA256

60593ced1e78fd4b3fdffcd58bcde989d8e9b031b3ad9132815fdf614e0449d4
SHA512

842a80fed2286d06987cd2dde7ae94fc6c7986eb49cc62684f62f148973e5080df7866e1d2f81d53cb5ac95ef9d88489f6765265e29104be0ae349c6a3164592
SSDEEP

12288:c5SsIg0ZvkY29slOLJFbJZXM1Eg/2QAu4NRFNxIg0Z:Ru0ZvkY29+OLfzI2Q0NH10Z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2368	Celery.exe
2240	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
3928	main.exe

Loads dropped DLL 22 IoCs

pid	Process
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
2368	Celery.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
23	raw.githubusercontent.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2240	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CeleryInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CeleryInstaller.exe
Key created	\Registry\User\S-1-5-21-131918955-2378418313-883382443-1000_Classes\NotificationData	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	CeleryInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Celery.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	CeleryInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Celery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	CeleryInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	CeleryInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000000259697a120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe0259697a0c5943252e00000068570200000001000000000000000000000000000000bf162a004100700070004400610074006100000042000000	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 4e003100000000000c596225100054656d7000003a0009000400efbe0259697a0c59ca252e0000007d57020000000100000000000000000000000000000096d09800540065006d007000000014000000	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\NodeSlot = "11"	Celery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = ffffffff	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Celery.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Celery.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Celery.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	CeleryInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	CeleryInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	CeleryInstaller.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CeleryInstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5596	msedge.exe
5596	msedge.exe
5480	msedge.exe
5480	msedge.exe
6080	msedge.exe
6080	msedge.exe
2240	CefSharp.BrowserSubprocess.exe
2240	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
1440	CefSharp.BrowserSubprocess.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3968	CeleryInstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	CeleryInstaller.exe
Token: SeDebugPrivilege	2240	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeDebugPrivilege	1440	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeDebugPrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe
Token: SeShutdownPrivilege	2368	Celery.exe
Token: SeCreatePagefilePrivilege	2368	Celery.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3968	CeleryInstaller.exe
4916	MiniSearchHost.exe
2368	Celery.exe
2368	Celery.exe
2368	Celery.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5480 wrote to memory of 3996	5480	msedge.exe	94
PID 5480 wrote to memory of 3996	5480	msedge.exe	94
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 3844	5480	msedge.exe	95
PID 5480 wrote to memory of 5596	5480	msedge.exe	96
PID 5480 wrote to memory of 5596	5480	msedge.exe	96
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97
PID 5480 wrote to memory of 3320	5480	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3968
- C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe
  "C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.exe
    "C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Celery\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Temp\Celery\debug.log" --field-trial-handle=1968,i,4618765532909190166,14150129874300928074,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2 --host-process-id=2368
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Network Service Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.exe
    "C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Celery\cache" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\Celery\debug.log" --field-trial-handle=2372,i,4618765532909190166,14150129874300928074,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2368 /prefetch:3 --host-process-id=2368
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Network Service Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\Celery\bin\lsp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\Celery\bin\lsp\main.exe"
    3⤵
    - Executes dropped EXE
    PID:3928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://appdata/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff2a0c3cb8,0x7fff2a0c3cc8,0x7fff2a0c3cd8
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,2536023274830654415,13896427509546753567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e77b1feddca2be0ef161c09436307c3

SHA1
6c28d79a5d9a95dfcf0511b28e47540aa81dffc4

SHA256
e34869203394b1ed07f27e9feb4bec194050e1f9d30eb92abd1f8116be951146

SHA512
8f055dcb8d6862217e25633f6cb61f80cfbfcb1d46a7a89e9bab3f4ffddab998f8b3aeb1919d2dfe5ea3e277dbb8880694855e2d0769be26c02bbb1a8742a57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a49a833fc5b373ec5e873aa3cfe3ab5

SHA1
996de696fc143cbcf112f3c0ac2b0f537fe1b592

SHA256
f4e060709c5deaef865176ec3fc12af1223e7dabb24cdaa9aaa25a5b1f5910be

SHA512
cd0ad78538f03d54743c89d85e1567ff427d243f7a18679699914570dcfcc9443f87bd265f64375d6e5ecaeb1133a688f8472a65a96bbb63e9250c0d789ebbf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4d33c3706086c6c1df7ea0c21bea17d

SHA1
ae8b1630d4c59cf8309d5dacee54afe1554fbb90

SHA256
e775294422f6fdb28c80d317a2113e2254ea7c0293a9a648456ad6a07da0eb96

SHA512
3b6c04de462030e7bb1bdc4779a990b5b8d33404d21c6e5a165fc7cfa798887780c7290ee4835d9ffe42b1b7ff4a78384452264e761c5311cbdd6eb7a784ce10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.Core.dll

Filesize
1.1MB

MD5
5b745ee879e65f7a47c56265881f16e7

SHA1
e6a90771b8f1bf53beeb7c9e4268756ff07a088d

SHA256
c8944a83938c39fbea72700485db8a61ab82e1c51d8e16d5dd48de4e36a6f264

SHA512
3b4bef98a1f751c3a747de0eb050828bf8474efa68aa7a26d0369f1c3b42829eaab221cb612c005a54ed5b84f19180700e51aab39adb84fe7246d9e91e6899c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.BrowserSubprocess.exe

Filesize
6KB

MD5
bcd22b9511d5383e23d875e2cf3c339e

SHA1
0ef86afaef536cc4b046ea2866414bb193d60702

SHA256
95dd31f11ac1317559b6eee0479739930d503a4938283f5d831ac8add92ad792

SHA512
c4e6821858720895c0bfae797097e3307bb7ea8f03dde4fefc16cce03b2a50fecfe8ed5c3225136fcd9d74ee0ed8673f795b410cd14890d22df58c1f03b693c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.Core.Runtime.dll

Filesize
1.7MB

MD5
21719cf581f5cc98b21c748498f1cbfe

SHA1
aaada7a02fadcbd25b836c924e936ce7d7ee0c2a

SHA256
6fd2685e02ef7c92ba5080faadb44f22fee528713f5101e2841c1230cba691e6

SHA512
6394ddabc7ad03895ecddb9943371935e0a2320e933b380a563eaf03d1a039c7180aee763834170c85485416b1af38b55c1dafff7311b25513369b01dce22598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.Core.dll

Filesize
897KB

MD5
16f8a4945f5bdd5c1c6c73541e1ebec3

SHA1
4342762c43f54c4caafaae40f933599a9bb93cb5

SHA256
636f8f865f23f2d47b73f3c16622e10b46437bbf7c89b0a2f70bae6129ab046a

SHA512
04115c425c3015ee4355cde2a6e5e28ec24745ea77761a40c0986b54dc14bc67cb142986988d79df87e75ea54d21ded9384842e01cf0714b84f7378e6a13400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.Wpf.dll

Filesize
114KB

MD5
36946182df277e84a313c3811adac855

SHA1
bcd21305861e22878271e37604b7b033ec347eb3

SHA256
8507a4662220eca49d7d511183be801cd394f13dc0e9898c55361020fe9a4720

SHA512
80b1e947b1940dccfe5be8a1ba1e8c1d9eacb122d73724a21233164f5b318fa57c249256f621f0f9c1e6a9e4c902eec58827bb899e20f2990f4ade1d685f1abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\CefSharp.dll

Filesize
272KB

MD5
715c534060757613f0286e1012e0c34a

SHA1
8bf44c4d87b24589c6f08846173015407170b75d

SHA256
f7ad2bbbeb43f166bbbf986bdb2b08c462603c240c605f1c6a7749c643dff3fe

SHA512
fcaec0c107a8703a8263ce5ccc64c2f5bfc01628756b2319fde21b0842652fbeee04c9f8f6d93f7200412d9bd9fad01494bc902501fb92e7d6b319f8d9db78d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe

Filesize
17.3MB

MD5
433bb23192adb1d78a2fd99ca652eab4

SHA1
40087ada7a5020046c30d8ffb9fd70949450151e

SHA256
06a7351cbbb9e794e8ee5793114cb74cda3b55f23eb634ea3b994adf851ddd3a

SHA512
d74a2156ea003640774a1139aa4c1b5b76f0f97ebbeec1dd3cebbf902eb667d369f7ea8e1d3c6aff140da6f75e5c64cee23cd1e2cb988873db95723ea9cca93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
26KB

MD5
ff34978b62d5e0be84a895d9c30f99ae

SHA1
74dc07a8cccee0ca3bf5cf64320230ca1a37ad85

SHA256
80678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc

SHA512
7f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
62KB

MD5
00053ff3b5744853b9ebf90af4fdd816

SHA1
13c0a343f38b1bb21a3d90146ed92736a8166fe6

SHA256
c5a119ec89471194b505140fba13001fa05f81c4b4725b80bb63ccb4e1408c1e

SHA512
c99fcda5165f8dc7984fb97ce45d00f8b00ca9813b8c591ad86691bd65104bbb86c36b49bb6c638f3b1e9b2642ec9ac830003e894df338acfca2d11296ff9da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Extensions.DependencyInjection.dll

Filesize
94KB

MD5
3452007cab829c2ba196f72b261f7dec

SHA1
c5e7cfd490839f2b34252bd26020d7f8961b221b

SHA256
18b39777ee45220217459641991ab700bc9253acaf0940cf6e017e9392b43698

SHA512
a8b83a8582dfee144925a821d09c40f5730f6337b29446c3bce8b225659bdc57a48778081fa866c092d59b4108c1d992e33f9543ae2b4c7554b8ff27b5332cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\System.Threading.Tasks.Extensions.dll

Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Monaco\assets\theme.json

Filesize
390B

MD5
53140e18fb33e7e9a25e13f57a4190aa

SHA1
dd72190319ae2b7ddb12a137f50fad2579fcc897

SHA256
1cbd08945e5e8612b690e1eb663917cfb4f84f0083bf7d2c2a61f43e6c455e9b

SHA512
fb9b0456c7c9d468b14db242659d2cda36f7457f9035628d92538850a509e78116972e9890edc3b69d4379aaafb6da76ff2876b446b6953e14914cdfe7dc7b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\lsp\main.exe

Filesize
36.1MB

MD5
43ad962c7acda3e30300e7d0f1add3fb

SHA1
362c217d315f288f375fec7289a2606ed6d4f432

SHA256
534e6212f155fba25a38fba248ce7970e69335492d57443d04037b617260dd9b

SHA512
3822b6b426c85a61c4d754de7c33fdfbca45c9e80f2ba52f4c6ac98ad726109e276851af3612ebb39a6cefa4de9589d412e2805a3bacf7845d2aa22189396e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\chrome_100_percent.pak

Filesize
682KB

MD5
d3e06f624bf92e9d8aecb16da9731c52

SHA1
565bdcbfcbfcd206561080c2000d93470417d142

SHA256
4ee67f0b0b9ad2898e0d70ddfad3541fbd37520686f9e827a845d1930a590362

SHA512
497126af59961054155fbb8c3789d6278a1f5426000342f25f54115429ff024e629783f50f0c5350500007854712b07f7d8174ecfe60d59c4fdd5f3d72dac262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\chrome_200_percent.pak

Filesize
1.1MB

MD5
34572fb491298ed95ad592351fb1f172

SHA1
4590080451f11ff4796d0774de3ff638410abdba

SHA256
c4363d6ecfa5770b021ce72cc7d2ab9be56b0ce88075ec051ad1de99b736dbbd

SHA512
e0e7deccb26b7df78d6193750bfb9aad575b807424a0a5d124bd944e568c1bb1ae29f584246f753d619081a48d2897815145028ffedd9488e9a8f102cdc67e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\chrome_elf.dll

Filesize
1.3MB

MD5
5b3802f150c42ad6d24674ae78f9d3e8

SHA1
428139f0a862128e55e5231798f7c8e2df34a92a

SHA256
9f455612e32e5da431c7636773e34bd08dae79403cc8cf5b782b0ea4f1955799

SHA512
07afbd49e17d67957c65929ca7bdfe03b33b299c66c48aa738262da480ed945712d891be83d35bd42833d5465ef60e09c7a5956df0a369ec92d3bc2d25a09007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\dxcompiler.dll

Filesize
20.8MB

MD5
141f621285ed586f9423844a83e8a03f

SHA1
9c58feee992c3d42383bde55f0ff7688bc3bd579

SHA256
5592056f52768ba41aad10785d21c1b18baf850a7e6a9e35526f43a55e6ada6d

SHA512
951a55bbe86a7ebecfc946bf1c9a8c629f0e09510089a79a352cd6d89b7c42e0e23fd4f26232b0e73bd6d4ec158b86728cda2ab25745abcabfafadd964b55896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\dxil.dll

Filesize
1.4MB

MD5
cb72bef6ce55aa7c9e3a09bd105dca33

SHA1
d48336e1c8215ccf71a758f2ff7e5913342ea229

SHA256
47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893

SHA512
c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\libEGL.dll

Filesize
459KB

MD5
ce2c45983f63a6cf0cddce68778124e9

SHA1
6553dc5b4bc68dcb1e9628a718be9c5b481a6677

SHA256
9ca8840bbb5f587848e66d08d36cb5eb30c1c448ef49ce504961ff4ac810c605

SHA512
df81a3356168e78d9810f5e87ca86eb4f56e5f0cb6afdb13408b50778a2d8b18c70b02c6348cd7ba59609ab2956d28eed324706eb65d04bce1159a2d8f1e0e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\libglesv2.dll

Filesize
7.3MB

MD5
c9b090ed25f61aa311a6d03fd8839433

SHA1
f1567aa2fb1fcad3cde1e181a62f5e2bccadaf68

SHA256
c7a7a59cf3c26d6c8b2505996065d49f339764f5718e6f53a9ecec8686c489db

SHA512
21cd4618b6ad011afa78abe8fbc42ecafbb992322912c4a77e5f193a04aeb97a5655dedfc513e1a7667db55b92a322e3d9a6dfe7e845af25f37a6666a1798470

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\locales\en-US.pak

Filesize
455KB

MD5
a8d060aa17ed42b6b2c4a9fcbab8a7e1

SHA1
16e4e544eca024f8b5a70b4f3ca339a7a0a51ebf

SHA256
55e4ae861aa1cacb09db070a4be0e9dd9a24d2d45e4168824364307120a906b2

SHA512
8f3820e3c5aca560344a253d068936bdb797d07eb22711020d287a949c97d7a98879ff9ff5a4fb2f3fe804bf502300b6f4c92918d973bef351d587483bc43723

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\resources.pak

Filesize
7.9MB

MD5
5955471c84eaad269c23f8a22b71f781

SHA1
d625fb0b12d132fec9f91cbc7db54887589f202e

SHA256
b8ae091d95e927a75a9b0a367a8ee9bc5fae0a10427eb77cb3c3460097cd4f5e

SHA512
537fa6f414c7759e70ad6e70350571221ba69afaf89427c7450acf117e58a97fc7beb2a1758cf05b2ef76a14ad50e762f01b1c65d1ccbc63e4d714af445988df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\v8_context_snapshot.bin

Filesize
672KB

MD5
12c20b1ea7dccafb8250e13e46bc9914

SHA1
6ed3625dffea1ad3e1aceae4c55caaf195fd7c18

SHA256
5591258720aed178de57b4e61eb59b2c4af2566caa1d18a7157cf8d0feca11d7

SHA512
e520e67eba1dcf236a0daf43ec57182821b1e9142592ef471c724caf74292ed85291bd3b84fef6107ee2c258f93ea4fff2df18485537d73ddfd973b863c76727

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\version

Filesize
5B

MD5
c7ba27130f956748671e845893fd6b80

SHA1
86f389089f8cb6f58aa87561bcf7bec9d700c40b

SHA256
f0b8c77d978d7b4aebeb1df5a2c0a6aa70393689819dd4060826ab6d36b5ea90

SHA512
f2170cb5d554ef10a286c0754d0ef8acac4a47317c98e315ad092261f39935db861719a29ad1e8235806753619c975c1748572a0c49a1ef784088cd31d8d98a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\vk_swiftshader.dll

Filesize
4.9MB

MD5
3262e23f3fef8b021b93c801f5649c92

SHA1
de49b94cfc981a0af5a4e134854f69620e7ba566

SHA256
1c9098e8a6f21462864a91e74555f299ebc41d3bc79d6ee1b9c577c929957285

SHA512
54b0b26b95f6fc799b3e24863a65ef3896786811be3cc9fffa2a06e95e98daf32b16f0ede6b8a87acc319ea17650cdd089c56798236476b894054195738e1797

Download Submit
C:\Users\Admin\AppData\Roaming\Celery\settings.json

Filesize
95B

MD5
549e0849b62ac1edd0e200f6821cf237

SHA1
c38c5e610a29fe868404c0a6c1dd28dc46c32654

SHA256
45907882a0e460ceb2cc46205083aae3eae5b874c1863bc6ff332d683486925c

SHA512
318d6c6f86460742f2890734d39d1c5291c3e0d18f6ba0bf22e7c8f327c2cae24cb1b468ff89f422a76eea63e6aed18e07b60159c96c0243f9f48fcfc631c243

Download Submit
memory/2240-342-0x000001EFCAAF0000-0x000001EFCAC0E000-memory.dmp

Filesize
1.1MB

Download
memory/2240-338-0x000001EFB0670000-0x000001EFB0676000-memory.dmp

Filesize
24KB

Download
memory/2368-309-0x000001DD8EAE0000-0x000001DD8EAFC000-memory.dmp

Filesize
112KB

Download
memory/2368-317-0x000001DDA7630000-0x000001DDA77F1000-memory.dmp

Filesize
1.8MB

Download
memory/2368-313-0x000001DD8EB00000-0x000001DD8EB0A000-memory.dmp

Filesize
40KB

Download
memory/2368-311-0x000001DD8D2C0000-0x000001DD8D2CA000-memory.dmp

Filesize
40KB

Download
memory/2368-324-0x000001DDA7950000-0x000001DDA799A000-memory.dmp

Filesize
296KB

Download
memory/2368-521-0x000001DDA9AE0000-0x000001DDA9B18000-memory.dmp

Filesize
224KB

Download
memory/2368-307-0x000001DD8D2E0000-0x000001DD8D2F4000-memory.dmp

Filesize
80KB

Download
memory/2368-305-0x000001DDA7440000-0x000001DDA7526000-memory.dmp

Filesize
920KB

Download
memory/2368-303-0x000001DD8EAB0000-0x000001DD8EAD4000-memory.dmp

Filesize
144KB

Download
memory/2368-301-0x000001DD8BD40000-0x000001DD8CE8E000-memory.dmp

Filesize
17.3MB

Download
memory/2368-522-0x000001DDA9AA0000-0x000001DDA9AAE000-memory.dmp

Filesize
56KB

Download
memory/2368-520-0x000001DDA9A90000-0x000001DDA9AA0000-memory.dmp

Filesize
64KB

Download
memory/2368-518-0x000001DDA9A80000-0x000001DDA9A88000-memory.dmp

Filesize
32KB

Download
memory/2368-503-0x000001DDA9830000-0x000001DDA9852000-memory.dmp

Filesize
136KB

Download
memory/2368-352-0x000001DDA94E0000-0x000001DDA94EA000-memory.dmp

Filesize
40KB

Download
memory/2368-351-0x000001DDA9520000-0x000001DDA9532000-memory.dmp

Filesize
72KB

Download
memory/2368-491-0x000001DDA9F80000-0x000001DDAA032000-memory.dmp

Filesize
712KB

Download
memory/3968-12-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-14-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-10-0x000000000A290000-0x000000000A322000-memory.dmp

Filesize
584KB

Download
memory/3968-9-0x000000000A950000-0x000000000AEF6000-memory.dmp

Filesize
5.6MB

Download
memory/3968-8-0x0000000009630000-0x00000000097B8000-memory.dmp

Filesize
1.5MB

Download
memory/3968-7-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-5-0x00000000082A0000-0x00000000082D8000-memory.dmp

Filesize
224KB

Download
memory/3968-13-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-6-0x0000000008160000-0x000000000816E000-memory.dmp

Filesize
56KB

Download
memory/3968-11-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/3968-4-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/3968-3-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-109-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/3968-110-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/3968-2-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-300-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3968-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/3968-1-0x00000000001A0000-0x0000000000272000-memory.dmp

Filesize
840KB

Download