47afd3f128fe51fef8d774c006beced00d469903d009ddb0646a59c0eeb45216

Analysis

max time kernel
153s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-08-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_2923_Original.jpg
Size

263KB
MD5

c971a78e4e913d48cf3040144c2c013d
SHA1

a5ede0e6dc1849f8cbe4728fa731a25e8daf7673
SHA256

47afd3f128fe51fef8d774c006beced00d469903d009ddb0646a59c0eeb45216
SHA512

6faff05d59eaec34665bd193ef493ea28e8cd0982a1909be7ab7c0c841ab5e08dee29a544fb8685b6991c7369d1378b480754339eacde225e8c1be04fddc9c02
SSDEEP

3072:WRxuqTuO/E2ZgNz1qp0bQeEnmdqFAB0QZi6XDpiMH+DxE5Wib9MpW98G4noPsl/:4xQOM5z1q1eEnm+L8kY9Wib9dup9

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5688	msedgewebview2.exe
2684	msedgewebview2.exe
4408	msedgewebview2.exe
2292	msedgewebview2.exe
3988	msedgewebview2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	CeleryApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CeleryApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	CeleryApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CeleryApp.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	CeleryApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	CeleryApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	CeleryApp.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CeleryLatest.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3868	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2820	msedge.exe
2820	msedge.exe
1608	msedge.exe
1608	msedge.exe
1956	identity_helper.exe
1956	identity_helper.exe
1248	msedge.exe
1248	msedge.exe
3156	msedge.exe
3156	msedge.exe
1172	msedgewebview2.exe
1172	msedgewebview2.exe
3988	msedgewebview2.exe
3988	msedgewebview2.exe
3436	CeleryApp.exe
3436	CeleryApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3868	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
5100	msedgewebview2.exe
5100	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	CeleryApp.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3868	vlc.exe
3868	vlc.exe
3868	vlc.exe
3868	vlc.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
5100	msedgewebview2.exe
5100	msedgewebview2.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3868	vlc.exe
3868	vlc.exe
3868	vlc.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3868	vlc.exe
3436	CeleryApp.exe
3436	CeleryApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4120	1608	msedge.exe	90
PID 1608 wrote to memory of 4120	1608	msedge.exe	90
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 3280	1608	msedge.exe	91
PID 1608 wrote to memory of 2820	1608	msedge.exe	92
PID 1608 wrote to memory of 2820	1608	msedge.exe	92
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93
PID 1608 wrote to memory of 5092	1608	msedge.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IMG_2923_Original.jpg
1⤵
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\DismountLock.3gpp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa51203cb8,0x7ffa51203cc8,0x7ffa51203cd8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2106374792948509351,13024167803956965331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5684

C:\Users\Admin\Desktop\Celery\CeleryApp.exe
"C:\Users\Admin\Desktop\Celery\CeleryApp.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3436
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=3436.5192.11300528626153192778
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5100
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x1c4,0x7ffa51203cb8,0x7ffa51203cc8,0x7ffa51203cd8
    3⤵
    PID:248
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2684
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4408
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2292
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4824 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3988
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1356,7880513442100897140,7605494188376430249,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\EBWebView" --webview-exe-name=CeleryApp.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f74f80cd052dc4903da98dd6916f375d

SHA1
3e3512884ee41291824b30b256670b3d0a1c8d40

SHA256
d9589878daebff7c0991b2007a7af982f4760512545b4e331708f3f3308447ac

SHA512
bd186699a85c91cda88df15ebee640f99b55ff168e228dd0de8d7416d62de1bcb57e88beb3b12ce74a54a9c7491934ef3dd5fdd6b92ab5c909f129b419d96b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c32b6fc873c040253034fe4bf5037bd0

SHA1
fc58579eb5bf46c8d5246a45abae3566898c2e27

SHA256
8d59014ec29aebf56b641a018b29b6c64e33764d7a2262283ce51319071f930c

SHA512
e8ba0e9e78bc58b3d6d671a1e693cbe81745f000daaf281cc6aa6c591ae261b981f704e3dcb32f0fef87424aab0f42e4cfe40e445d8ef5a529c7bfda8ac510f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
065f1528f42273c8cb8c0dbd1022f0e5

SHA1
c016e8af6f7d3c19a2bd5afa279b7bedf53c8936

SHA256
a90739436042d61cd274edfc3c0a4260a23b0d628455176cfff3aa9ed14eb7d8

SHA512
23cb4ffd4fe429561953da3e4a9a44af4f8eb2037dface478c12cbd5b9f5f95c063df1794e0f91f29faec50cbfd3475450560f96467263bded00a3506990cac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c61366847e293e40b92908866e76ad03

SHA1
b404105164a309fa43b41d586afa029cc5a26b69

SHA256
314e01b1078af165361e9390855732daa0218a25b9ec20d4610a628e3c722c95

SHA512
e6415c13c6dbce78d7b7a7811c6335598ef5de6701ab5885232be2c70c51189c70ae8c9e6850c9c6f541df6419eee3740ed476a5a12359f7c7d03c81ff51201f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40b26226b81c1b6db6bdb63de0e53344

SHA1
c105ae7c8cd435dbcb60f6c9920e26f1dda4872b

SHA256
b6a1331cb833570fd5b647296d59ead5e1bd1d9900d40834e043cd2995d6ccc9

SHA512
45c7ec5b4f8bdccd1dd18d56350cce706c0c70de3c6a57a9957762b0a6739792e3c2dc95e76ccf6c41f92a6e61f0b6779fc0df706258a309cf58d3c0a8b9bbfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5681236a9a2a259ae531a4746296217d

SHA1
bb9ee89320987274866b01db672aa4f9d3fc7389

SHA256
e04324ef739d6bb56831c109752c912cd9d17964c1cbfeb9419efeaa301d97d1

SHA512
b551cdaefc8fa817d01126e76168621a939eec3b5a3d88f77be87a0ab85544f20b4d3df2e94cc90d5036f82a90b6345936f11c1dbcd489c5763e7261c6c0f778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1a88cf2870f5df2f1197e05660e051cf

SHA1
416731ee17a8613e6923d220561bbc8ea67c4f0e

SHA256
e221a3656d76535f5e8d903e3031291913a7fa5ea216122102dc3c2bed636e4b

SHA512
4ea77925c723c43d73ddadacd711c2643a9b11c77668403afd1c74cec604c1f5e6938b266bb140822ca2a7eec72d0c004e9a891c0a95af3fb2206bd88356d426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba8a8f3533bf5f02a347482352aa04b0

SHA1
0d2c55312c7104979786164ce38cf631f07f5a2f

SHA256
369e748b24953b4e78ad2cb67a535cd2bda5ab04dedbde4dd9fb6f4af6e4cf2d

SHA512
74352cb6faa1058773d3bc9e850b32254acfc3be9017e743264d5308be7c526593b6fda296594311cc2858e4ecd9ab4d46867b9b963cbbf6762040ad927e5582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
5c3d7765ba43bd1edee4b831682a4b15

SHA1
85b74a85860b724221380ac36104c4cee5ed4b38

SHA256
c5f1bd264450e4e5abbc92baa64264e8621ffc3dc7ffe360145958651635b186

SHA512
9e6977b042efa5eb699dcd81cb8246309dc51e89b4e90ad752d4dbafba629c2f55813da36959e4489cae1f738f28c9e1bb976bc030b34e0c956a7656defeadf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
d93942c65d90497f531e480a6826b735

SHA1
79b22a073593f528ad4161653058d779cedec4e8

SHA256
e39a4ad2c6a39bced21cb436fedfea33a4354e8f4088ef7472b71b44b56f735b

SHA512
cd9834d00a66ebf315d60ca0d52c567aaa9250eee0501c28c6836c0d37b60a38990fb0d3fea5845aefcb4019a55827113d235a49dd3636d3dc10fcf7e8b7aa59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ce28.TMP

Filesize
204B

MD5
47b837a9297e39ca91176a5b144f4622

SHA1
4ef488d3a7d9017be7c0aa95fb248159e6ff467e

SHA256
ca6b17b810eae57481b7c66878f980cfed0fa2a1db1573887f3235f31ba8d2d5

SHA512
fd0e091210f52c1beda94c39e9a53a14cc0481489c9a899ce38ad88903fb818fa7baec0b82a596cc3751bf54829bb2371394868afb33527c3fc1b3f6b3d0260f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f973f0deed2cabcee713040121afea4

SHA1
d6df5b864a7901be074102eb10ed1c6144210c9b

SHA256
1c4981f22cd1f57b5228f35226dcde24ce707ec2819b2b75b63e5ec7c5db9939

SHA512
0d55be23f89975413d59236baf74546577f53ee8900f28e609325247415c359a0977caf7b0026224f3f1e2ee898b5151fbcdac432de6ba7514fbe7c629c86d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ee32ff12cb62b84d522ae8ebfcec27f

SHA1
ff33653b3ae28c54618d80dbac22e743a2e9167b

SHA256
ab3b439c767a96496d2d5d8e4749d03daf9cae5c9d8ca3da2ac9bf558c700ab7

SHA512
b41433f7f3455cf916ddb2e610dcb41051560da0fac0be2bbda15c90a740c3b5532ba6175f3c67441f3aa27fc2378ffe01b8878b2ab4a543fa94bcaedd335f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a14df2d68edc465f954e3bf936a3491

SHA1
8a33148ddb8aa53db7d24ac421281bee810f0e52

SHA256
6a1af0bc990ea94d42685b9416d42aead1da64b62f1cb1d337bdd3823f5f54a2

SHA512
fb67f4c54dd65774cf12c658e48e658be93f772a3ecc7e6232e199c77bd4a3346fc512b9454bef0a8d64579403e9ea283c668b0dde0e558bb5c5d85a4e63c131

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
25a7288ae2acfa6ae596afd5fbaeae32

SHA1
784507d418aaa29608898cca75b18c48ef9b5352

SHA256
ceac63cf17b1617cc04818d2b1b868c842ad4ef3c5041815d951a43b4b5faee1

SHA512
b565f8849a39cc9878cb84550ef5978315630b683e0f2e703bd98ea7967764f0ad3fddee9938917703b6474b8b5d0cce438ac2d1dfaa193111c1af7066323d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
ee4b3499bcfd46688e12382b489310ea

SHA1
4a0b8edcfb7796f1e58e93aafac49014d8d110d5

SHA256
73e767c78be6bf123c5959eae2fd91adbab301b4ee11916ff51e1510eed9b71f

SHA512
046262b01165eeb1544ffb96ca8ec568b07e9831f206698ab0bc9daec24e233b57b319c6aace3e655c9101273128cbdbbc3d4d75d9ab677d13200987338ce224

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
72c2b548762e112e8b6b1bddf13c109f

SHA1
1cf97641dd58c459a9c7195597ac6054d8eb1ac7

SHA256
d327b128bb8668593e836685c88558d3cadd16df7327eee955bd17293f2d69ca

SHA512
c0dd4873de389dff8080a509cc4ae8ad6978e8121ff772c94a6e01bc4d765cd808e50917f5a6a8b7de19d798251f663068c5c1a4b6702cf0b806c4053bbf2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Preferences

Filesize
3KB

MD5
a0039c79fc36f71791b4a13c255df1a6

SHA1
9a778088f23a650220ab38312655d221a62b0afe

SHA256
8b76561c9899d8960493af5814413f3bc47676150c15269d17975b530ce9c546

SHA512
31862909e8509dcda514fad1a198b69ba781f8e6b5c3670845968c40973b33105469a2d926058c71341797ebd8eb29f286299b4314265151ec1f54298af49527

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Preferences

Filesize
3KB

MD5
fe21da5cd9046717f3161a967ad62678

SHA1
2fbc6af41d63aaf9016d06f6713ef320a4a686f3

SHA256
bb331712528c4b6e56b27da729f668ebe3bfdcd2d9efa109d7fcf3ae314ecdfd

SHA512
d208bfca03f5d7543e7497f7740d6fbee5b48c7a1c8e0455c9b4b548618e2d669e2cb8329ee2dfb0fd52c3e7de391dd9c62e18806d76e73d93260e003c570d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Preferences~RFe598da0.TMP

Filesize
3KB

MD5
1fb5f3c200ef94100a06bbb5f44d4ddb

SHA1
71d9e7737af684f9b94f6db9a3c9e2f1c4eee721

SHA256
e4167165169455059d8827da26278cc38a135b35d17454f8f83b323211c608c6

SHA512
fcf9367e85f59b819f71c9ea0f5661ff2a32717802b2d154773a89d0d284d7072a6b2b7cb9c53baba47e654181e3a60ab29dc6d3e4b9471b184ed46b6d2438ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
8KB

MD5
8ca12af0fee4aee25deaff06b8926a0f

SHA1
5800a0464913c8047d12f6d110f5e9ddb578cee7

SHA256
1181e72f7eef521cb91bd1824365c76e1019538d364d821910c215bb467e91ef

SHA512
7d27f94ecc8929a65dd3b5e06e62e8f2753e0d03dd2debf1f78a4805f57f22444c2f6923b7f4b669fdaa9dc26350bcdff0595e3a4d895694b870a5eab8686a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State

Filesize
8KB

MD5
80c1a709facdf5cc6da4805e201ab58f

SHA1
cefa8b87512938a62b52cac17864d1e02568cae8

SHA256
96df69e81e3d3c90436b743d4d2f31f7998490738301b3a8cb774fe8daab9feb

SHA512
ee4ba446c24d81a3e289b7e6d11cff4d0a2c5ba08e73caa5a9f7faea96e6d3baa4057ed0d4f9d6f447051b280f9681c3dde64da64c07d3770f50f01a9742c9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\Local State~RFe598da0.TMP

Filesize
8KB

MD5
5ee7a9275bf59e433540cf93152772b5

SHA1
ac118db0d1cbe0b52c0c693b310ba2fcacaae5a0

SHA256
e720e561ada9ab3763d0b8c10b1e32c2290f5a4e016e227e4799a28cba79d75a

SHA512
0729ca1b5372680c414b08c26491fd36a65e05d287e0872fa9589e5de2d63d95b6e5fcf21920a66e8bec2b96cf070ffa8c4a595918d2acaec92a6fd79f6837b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBWebView\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\Downloads\CeleryLatest.zip

Filesize
9.4MB

MD5
91865af1ff750b595a7fc53b248b16a6

SHA1
204209c944f3436e610e050427dea6dfaf780ff9

SHA256
334839a878f41c61aaaf84865762e4afa7135a9576af0bace4ce3383d2d83ee4

SHA512
e0ba77e05b9a35be252ca04e58373268baff8d0e8869cd57697153dbcfd5bb4867d2c375c13319207c726499781dbe45232fa08ac579f1bd227770f182b5ecee

Download Submit
C:\Users\Admin\Downloads\CeleryLatest.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2684-386-0x00007FFA6A110000-0x00007FFA6A111000-memory.dmp

Filesize
4KB

Download
memory/3436-360-0x00000182706E0000-0x0000018270754000-memory.dmp

Filesize
464KB

Download
memory/3436-363-0x0000018257180000-0x000001825718E000-memory.dmp

Filesize
56KB

Download
memory/3436-362-0x0000018271540000-0x0000018271578000-memory.dmp

Filesize
224KB

Download
memory/3436-361-0x0000018255870000-0x0000018255878000-memory.dmp

Filesize
32KB

Download
memory/3436-359-0x00000182557B0000-0x00000182557BE000-memory.dmp

Filesize
56KB

Download
memory/3436-358-0x0000018270620000-0x00000182706DA000-memory.dmp

Filesize
744KB

Download
memory/3436-357-0x000001826FA50000-0x000001827036E000-memory.dmp

Filesize
9.1MB

Download
memory/3436-447-0x0000018276F00000-0x0000018277428000-memory.dmp

Filesize
5.2MB

Download
memory/3436-356-0x000001826F8D0000-0x000001826F920000-memory.dmp

Filesize
320KB

Download
memory/3436-355-0x0000018257140000-0x0000018257180000-memory.dmp

Filesize
256KB

Download
memory/3436-354-0x0000018254AA0000-0x0000018255366000-memory.dmp

Filesize
8.8MB

Download
memory/3868-12-0x00007FF7366F0000-0x00007FF7367E8000-memory.dmp

Filesize
992KB

Download
memory/3868-14-0x00007FFA4B060000-0x00007FFA4B316000-memory.dmp

Filesize
2.7MB

Download
memory/3868-15-0x00007FFA493B0000-0x00007FFA4A460000-memory.dmp

Filesize
16.7MB

Download
memory/3868-13-0x00007FFA51280000-0x00007FFA512B4000-memory.dmp

Filesize
208KB

Download