discordrat | 4b3249c78c50f2f2cdb9befa5a8a0c6f1060f617d4baa0602e8bff3bb91c8cc8

Analysis

max time kernel
260s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

net6.0/HardAntiCheat.exe
Size

147KB
MD5

26cbc4c30f31bf1f3038edab23ebb203
SHA1

def825211a357f4a195c45e469edc7d52a713b09
SHA256

d47c9ed0a5f0ddce20c786251eedfe119e929f6c9d9aaf835fc3f472b8e4a724
SHA512

7c960d654473c66efe0e66f73a6ff9177eccdbeb6baeda6b56cc34b4630db4bf5f90ac3c08f875ddda646e64d4822e8eadaf487ea2dc497d1fffb075532805a6
SSDEEP

3072:K5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4FULCzo1:KBKjK2LFzZNf+UL2

Score

10^/10

discordrat discovery persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwOTYxMDc0MTgzNzU5NDcwNQ.GjVcMg.PxEOfc7OAMHHzxt0OgOgfExaZIarA9jXdHoqTI
server_id
1309598138776162314

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Celestial.exe

pid process

1120 Celestial.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1120	Celestial.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 27 IoCs

Web Service

T1102

Processes:

flow	ioc
29	discord.com
50	discord.com
114	discord.com
19	discord.com
44	discord.com
51	discord.com
41	discord.com
119	discord.com
127	discord.com
129	discord.com
20	discord.com
23	discord.com
28	discord.com
126	discord.com
130	discord.com
118	discord.com
59	discord.com
122	discord.com
123	discord.com
133	discord.com
135	discord.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
54	discord.com
56	discord.com
125	discord.com
131	discord.com

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Celestial.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6783.tmp.png"	Celestial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2414.tmp.png"	Celestial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp78EB.tmp.png"	Celestial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1868.tmp.png"	Celestial.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

HardAntiCheat.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
3000	HardAntiCheat.exe
3000	HardAntiCheat.exe
3000	HardAntiCheat.exe
3000	HardAntiCheat.exe
3000	HardAntiCheat.exe
1208	msedge.exe
1208	msedge.exe
4112	msedge.exe
4112	msedge.exe
1252	identity_helper.exe
1252	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4112 msedge.exe
4112 msedge.exe
4112 msedge.exe
4112 msedge.exe
4112 msedge.exe
4112 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

HardAntiCheat.exeCelestial.exe

description pid process

Token: SeDebugPrivilege 3000 HardAntiCheat.exe
Token: SeDebugPrivilege 1120 Celestial.exe
Token: SeShutdownPrivilege 1120 Celestial.exe

description	pid	process
Token: SeDebugPrivilege	3000	HardAntiCheat.exe
Token: SeDebugPrivilege	1120	Celestial.exe
Token: SeShutdownPrivilege	1120	Celestial.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Celestial.exe

pid process

1120 Celestial.exe
1120 Celestial.exe

pid	process
1120	Celestial.exe
1120	Celestial.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HardAntiCheat.exeCelestial.exemsedge.exe

description	pid	process	target process
PID 3000 wrote to memory of 1120	3000	HardAntiCheat.exe	Celestial.exe
PID 3000 wrote to memory of 1120	3000	HardAntiCheat.exe	Celestial.exe
PID 1120 wrote to memory of 4112	1120	Celestial.exe	msedge.exe
PID 1120 wrote to memory of 4112	1120	Celestial.exe	msedge.exe
PID 4112 wrote to memory of 2880	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 2880	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 4744	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1208	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1208	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1820	4112	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\net6.0\HardAntiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\net6.0\HardAntiCheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\Celestial.exe
  "C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://arenafn.xyz/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76a946f8,0x7fff76a94708,0x7fff76a94718
      4⤵
      PID:2880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
      4⤵
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:3768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
      4⤵
      PID:624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
      4⤵
      PID:2612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7637125545069441877,2849543707554254840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
      4⤵
      PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
ba7091b4932f0c1b2be3c9036296b22d

SHA1
4534919bd68c41e04e419054ed7d15c5ccea0f71

SHA256
dd7c9c76aa684d9dd2e1a270ff72317a707c825f47e47fb27ff346195414a704

SHA512
d7f8ad6cd268f85694936a87b2fda38a7b29912142f4630b9cada8eaa34676ffc9dd35a14c4612dda6b94af74ed1e131e83d78d9f10783f37d95423f2cad58c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_arenafn.xyz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
477B

MD5
a1e5a0df9293eed961cd6f4299f6ecad

SHA1
77f4436ed9c930b1c172771ffeaf8e25e403a01a

SHA256
c6e0a60a917e339067c20192c3df3c465957eb93ff540a4943c6741e12ee37ec

SHA512
305d4590f4b4410a54cf050e55ed97a1e6c7d8c2f106c61752a224146dbe79215488be20877d255716f07a57cba63ccb15f40ef0d869dd92b65e49ae300251db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ffb7d6c8efc62f9ea7cf86eb1ef5caf7

SHA1
57f50ace91bfc725c828daae11e1e132d0daafba

SHA256
eb07ce601993db762de005dc875e812fdfe99143afb88a69a11c337067cd1853

SHA512
e0e613140195eca27dd96093fb7a3be2d6b9d0e0b9bb64189d8dbd7e2f66a5a706521e7cd538fd320768d60b97f6fd77bcd4ba847e546755be3c305822a8315d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e49e76908137922dcc3a49d00df214b

SHA1
750c78c1226be5febe0bd2e59e1d65dd9f1da7ae

SHA256
996fa65af9b5910fba13fd4bbe2fc5f644279bb1fa07c3508e5ef927ea8f8f57

SHA512
40fbb0031eb47aa75e276e4b168aa0689aa95dcad7c9958eb5162b7ded263bd3f31e49cb60457afefe4fdc329a9cc86d963308e624c51478b898644d8554ad9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5812513d6e56e1545f332b1a7493d3d0

SHA1
0dfe1f32bb4e5b1cb6319e2f5bf0e5e920c7fd1d

SHA256
35bc2f80d7fc7cfd2f204f8ec87355bdc10fe50b9c16cd43649be49e984e9a6d

SHA512
381c15a2af3ff4237cdb55a916e39ec0af116af8993ac7646dc43297590d651b7b29cb1435b5243f360d6e526ef38f4ae7e3d54d6662f62149710a8021f62baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\63a2738e-d235-4cbb-9099-bb9496691705\index-dir\the-real-index

Filesize
72B

MD5
116fe1cb88dc0710ca3f282428f0c57a

SHA1
ae31daa865e143aa1725c5c015113627b8954c8d

SHA256
3ef88d286b3b4231b2472aa963e688dd6dfceeb5056c7e052da20f7fb4901dfb

SHA512
3f0ff7b5f89ea192df61e119dcb717ecaea3bc9983b6cd206d9698ebebdc14a2a7585f5d07650940e84fd79587996c48ce6d682b911b002f5052150baea15550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\63a2738e-d235-4cbb-9099-bb9496691705\index-dir\the-real-index~RFe58f315.TMP

Filesize
48B

MD5
3165780e7bae6c763fbbd837b4149af1

SHA1
f8729105916a2cef9b2060b1f3ddf258477831b9

SHA256
cf1ee93fd32d1d9e209e2478014154afc51a730ebd82fdc63974db14e6b94fc7

SHA512
eab34de2f07cf66e11d8ec361d998548e07d585737183f3cacd655739f4194839eeaf8d43aa1e01b62787688ed8f85b155a5c78c827059d40e3c76ebfc3dd5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\c5f3657b-8a1c-4edf-a1e5-8ac2104d5bdd\index-dir\the-real-index

Filesize
72B

MD5
9603095f85c7f59ab8563e54b9fa94d4

SHA1
fe1a5f1e6d6371a57e12a425a8a38921cc650c2f

SHA256
871a8e25192a94a490a10a2451071bcd643be7af32517433f0afdfcc9953b059

SHA512
1276396ffa53740ddf0fd479152c7928cec6d1910dfa6f868965c68ac3914cffef10f2e51d4a9375e31aae391942e877ab0f02810e6fd0a61915090a3b4a4b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\c5f3657b-8a1c-4edf-a1e5-8ac2104d5bdd\index-dir\the-real-index~RFe58f018.TMP

Filesize
48B

MD5
6110c7dc603d8451fc11e1cb9425b6b7

SHA1
f9d30a691fcbe1344ba1b7f54fe9ac45d0ca7722

SHA256
2019591b99ce342fd8cf08bc296dd78cf176fdba51452de3118c1da9984f394f

SHA512
2d3170d50065c061935651c467782df12274aed1ac8880b61289cfa29b66c2d559fed1365ba9a73d0e7c3ae6ac0fe1e1b42bd1115e0e3cfd808304639cf5f6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\index.txt

Filesize
117B

MD5
7a3c746e4af0eebb7e9e51d62ea1b219

SHA1
db69bab95a421eafb9189f4435bea125a72a150f

SHA256
28e454de80f5e57bc4358bdcde613b93a5dcc72ab96b8be1852dd639f83aaa1e

SHA512
be6aa3d932686c877c0124ad92f0814d92ebf7cc77b6b6ffdf7f071beabb5664457d0614c586aefedb3b314344f3b34ac6f13f4f5c1b19d2918c3d921d71c919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\index.txt

Filesize
179B

MD5
977c26fe679939ce776364f4d2fb6b93

SHA1
d3fc391106a998ec19e078608038fd5292e36fb2

SHA256
2a593c92df011fe9c9bd9680c431390ff4f5cc8eb5265088c4ef0b34102d2ca5

SHA512
cfe54b3b4c574cf4ea59359e56198c2a788251a6d6f74952c00b3e21fbce9b3a40c289f8018b2b8a47591f1c54f86a1d68acfe00bb87d4578b4c9a06c5521a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ac6e2deb1ae4af236cfdbc1832509b5883a58b51\index.txt

Filesize
174B

MD5
93cc5bdabd0327d48afa217381abafb6

SHA1
d10c0c5e9c6f6c28c551a7a50718f5254f45d6b3

SHA256
0912b00fd6a33c963700c0e9f1ef0847c841e526d4149ab68a5d71193f8592df

SHA512
a5bca8808bf7421b47794f50cee98042668624b4f97bc197a05c15fd025fb3af56f542d93f05d06ea40e5b6db9068eaedb34b59935c5e9d163b0787f8e4e6579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8df9a25a8d596397ad573efa710d3309

SHA1
9800fcc6ee074606595553b32258ecd21871afea

SHA256
07add31a8623deb53ec705ac67ebce086122747d45d66cd814bcaab912f7fd56

SHA512
70a1beddeaf03ef11e6b5f58121b5ab5a1df1f047c4cefc3f5f5f42efc0bfb249787e3de14117f25117f20b70ecdf8095666f7dd06ba677bb0bffb5f775a0bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58efba.TMP

Filesize
48B

MD5
c009ee449d93bb52557c02464a64f9e9

SHA1
05a5c1e53f4bc97c01def4d933421cd5032e2cb0

SHA256
3ef285f0e01ada5f4d1e355009dde6d8f96b68ff2dc3eea77f1347d930f8bb20

SHA512
26d41e804f8b40d652e5d0bac1519d6733dbd9596ad72f4ee9b7303fd2d557225ebebcaee576d956ff7d77b8a6ccb99642a421f42bf0fa2b0366eaa35c2db315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
941d82b1dfbf972d1b2843c188d4c921

SHA1
aa20e761183fd7ff63cccf170d4c6c9976d7aed3

SHA256
137a592f6b42b2a05eeedec59d6d8eb7cdff4e7cd81d16a97363a6ed21424ab2

SHA512
ef99f4e2cc49e13d6b83489bfb17ab4179249a730b63bc43f5b62db8f21a15e047c3f8f5f9b970e3a40a93853514a32e1403f0397cfd36ada3548ecb3806a51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f846.TMP

Filesize
537B

MD5
fb7852685c849c615f7360e0db8a1f8a

SHA1
31b45965dad212b5197a72c56a8c75cf0363c363

SHA256
8fa04ee5cb9944e18ddb1f56dcf3a3bd5bf7abea80e8b488b2180a05a48fdcfb

SHA512
c2e382fe28f8fa66acc06324ec77351d64f9a1f5c379dfeccc07ab48f2723d7a7407fe7efee22b6b3845cef383516c477718ca1c2e0ac52a6baab7cc542f3bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d44f58af005b4d172d09e24bd83663bf

SHA1
a30e20a463e31b0ee03d43a0d40b4e654f808ca4

SHA256
3b04c8cb2963113c9504a7786c19dc63de25ab933ae0c456a905587247881aff

SHA512
5d7c3f41b6cc6bf323a605a9af5e802dd93a9376777f3a5971ff331dfc57fd290a1bc15c4b160a07d5f996682d6adadc91149b569f49f8d1942cdc0fd6d956cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c51b27b7-d2e3-4274-85a5-cc9c0f989be7.tmp

Filesize
10KB

MD5
3cc66f696b2ed18f262beb8b47466101

SHA1
56070e405f5293ebce0c8f51de541b28f5b93dcc

SHA256
1ffe56dcc8d14e4ed47c7e4e84135091a0c6f590c50bc9edc5615eb8f02e852f

SHA512
4e53d32d97d50ada9bae01c62b69b3351dfcccc95e735f88f22916d98bdbf7ee75ac7f7dbd9acf67428fd0e2b2ee560a6aee3df0372c2dee61392b0a615abdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celestial.exe

Filesize
78KB

MD5
4781cac193ef3fa4fe29f7c673d22bc0

SHA1
8d95b6a01e69e7f03c14640e985493e080b6a24c

SHA256
3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66

SHA512
a18de2e8077ca165fb2f8f3efdaf2bc89bda3106e39c3ac98b4682f2fc7bd6abddd7217748506edf4d55a495a5fe9079dafbe8dccdf377c65bc5ef2f3d79d05d

Download Submit
\??\pipe\LOCAL\crashpad_4112_CUDKCSQHXKSQGHXR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1120-11-0x000002715B1C0000-0x000002715B48A000-memory.dmp

Filesize
2.8MB

Download
memory/1120-10-0x00007FFF75330000-0x00007FFF75DF1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-9-0x000002715AC90000-0x000002715B1B8000-memory.dmp

Filesize
5.2MB

Download
memory/1120-8-0x00007FFF75330000-0x00007FFF75DF1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-6-0x00007FFF75333000-0x00007FFF75335000-memory.dmp

Filesize
8KB

Download
memory/1120-7-0x0000027159BA0000-0x0000027159D62000-memory.dmp

Filesize
1.8MB

Download
memory/1120-5-0x000002713F570000-0x000002713F588000-memory.dmp

Filesize
96KB

Download
memory/3000-0-0x00007FFF7711B000-0x00007FFF7711C000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads