kinsing | hxxps://meteorclient[.]com/

Resubmissions

25-01-2024 15:58

240125-tes3qsbagk 10

25-01-2024 15:55

240125-tc1pssbadr 10

Analysis

max time kernel
129s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://meteorclient.com/

Score

10^/10

kinsing discovery loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2136 icacls.exe

pid	process
2136	icacls.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
644	msedge.exe
644	msedge.exe
4816	msedge.exe
4816	msedge.exe
4104	msedge.exe
4104	msedge.exe
5024	identity_helper.exe
5024	identity_helper.exe
1644	msedge.exe
1644	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

javaw.exejavaw.exejavaw.exejavaw.exe

pid	process
1048	javaw.exe
1048	javaw.exe
1048	javaw.exe
1048	javaw.exe
4544	javaw.exe
236	javaw.exe
2592	javaw.exe
4544	javaw.exe
236	javaw.exe
2592	javaw.exe
4544	javaw.exe
4544	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4816 wrote to memory of 4976	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4976	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4160	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 644	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 644	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe
PID 4816 wrote to memory of 4492	4816	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://meteorclient.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6e573cb8,0x7ffb6e573cc8,0x7ffb6e573cd8
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
2⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
2⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
2⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\meteor-client-0.5.5.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:2136

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\meteor-client-0.5.5.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\meteor-client-0.5.5.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\meteor-client-0.5.5.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,8711863410852457623,8322654822261504738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7052 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\meteor-client-0.5.5.jar"
2⤵
PID:1464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
9f8cf60b7bf8b484cb35ecb29ad41872

SHA1
c46c8e718e9a579b2a7514e359866a16c6d2946f

SHA256
fd4405780a848e63c3a76b5d662a63f2bda3ed797ebe6a3560783398d232a54f

SHA512
852a14209278bedbab6534ce57bc90e549f049bbabcd48088e2fe0fe14eef7de73546ae09218bf571e66757be50acc20c57c821f0b51931ad2277a50a2a023ec

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
c5a432b49da9d0a6d4fc67603491eb3e

SHA1
da4538d0caacaa6bcc7ac2bf13428959e06a04d7

SHA256
6725035dcf2d08a5f4d0c3dcfb59ad528a8c42d6c539fea6924558b2351f09f5

SHA512
12879a843a866b46939235786050d063cf01dcd271d48ac3d4222b621aa631843670b0ddd695ee7d547c5add42151aa809b833cea0bc39df5f3ba89009d1398f

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
e0f4b8eb996882a875784fcec43f4d6f

SHA1
80d360395b9e624008845082c77b88e2849396bf

SHA256
ee0c920c1c4a2d371361653b314e8fd8350ec7388e45f1866073260e9383dfc9

SHA512
17503348efb28867b0eebe238f47eec9ec13d34feb737c663788b4cdabdf0383e035beedc0cd99a164f4b38e6f75828585b3ee5fd6302526ad2d6a6b0818429a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
f98110bcc6c87536ccbcf4b8fc2eac82

SHA1
429013c9363d3338e882c1a511fea724a40dcc54

SHA256
e82461c4b39747eebfd4916d191cf3e14b7f055f8df8792198e3b99f75926e1a

SHA512
4b60217ad37b4fa67e1f7cd68918cce1247ef81f8999ce290829ed8afeed908ed038ab047ef870105ee108b2b5b27c7c618104cc65da039ffd2a646dfd648550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
936B

MD5
802cbdccc4b0d9076c3e9d3c6c3d73a1

SHA1
8cb4a05a160e741dcc12fb0f3534025fa65d5259

SHA256
646a4168abc8e70980789fdee7215a5798f0e06ef3bcbb11e59ae4776d4b23bd

SHA512
e062d714d8da70eb760face88ac258a7cf77342d96e741eacb71564cfb8eab8dc74c51e1089c67fdc9b8f5f0f83d4fd72036132539afe6828fa40fcf6c3fdab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
262306116e8892e607ca4e4925aa33f3

SHA1
5cd8c22d5fc70da0ead73d74e0c578e790b99710

SHA256
4b8a5015ea52ed1407bb51b18643b573514ddb3676fa9bda0f8f1f2785450784

SHA512
dfd58c2a61eede4745a3892f7e38299ad55a92fb11e7b10150b45851f4ea67a7107627ba13b6fce061dceeee523b15845317be8d559a14c9b07ec61684d0abf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
539a472cd42b30b47cf483ddf1cb2698

SHA1
e1aba5b58d4e2a801b060690c0e637c957fe76d6

SHA256
cacdb37b8315b3108773e5f54ffb6a1ba596a77ec1323793824d214fcc843c36

SHA512
cad7733d5db0d64bc968c77281076fa7e09d63f50e90a5b928675b9482dc04d834a46e15bce6934bdda858534cf7b0ff7a5624512a9e539dad74cdf6a77569e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5c764ae7b7d98cbbb6a7ce52f8c5ac6b

SHA1
c2a2f73d083421122738e7811048433e29888edb

SHA256
2d2eccf3e8f121eaab31d2bf42a7ccb52b94bb8de3dcbf2bee6e323dcb2bc115

SHA512
a7ac5349a7ea3573f4c0ee1c232704aade299f8dec45b121ff1546dfa99b86363565f0b5461da9a721df986f571366bcc03d4af38eac4cb4cb84d8efe3df01e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1ea9f9f75a64a6ba8507bd7b203578e0

SHA1
55572825a33c2c690795d12a72a7d2d8ff9c7907

SHA256
b6e93a5fa86e61394e85eb02bcbb93ab0095c893e6fd305964f96baaac60c967

SHA512
25954dec3a33b5b84dd4062ca9b9b1c3b817f5896440d24a7a9512a22d05212d90f1577bd3a30c3e42c020b07ef6d4e07e982559fbd03dc7afaa9244877f2a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c7611be82e14c6a8ca013f4a203d6bf4

SHA1
5e4e330c2ae6709a2da2694e5b8aa23250dff3ce

SHA256
1dca8b69c4bc7c77b1443baa17d15c36820ce0bbe96428d9fa8e9708a5daedde

SHA512
54d7c067df226d526bef47fab30e172fe6332055ac352136eed60ddb9db4baec10749870752a88ba827fba290abaa452f05a7141898b8e26e7b40cc0ea9dd5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
200B

MD5
5b0006166d2c144f35d90a9120d0b562

SHA1
aa12f25603427bc98c494285ba0b24aac8465733

SHA256
ea519bd039c1aa0b4add88e3741d3afbaef93cf13fcaf0fa70a76fdd2f161718

SHA512
250774c5667a9cd4ba0d54c6ca4bfab759792b71e781f2dc30ec0e2ec1a8df6a3874b54f3586f40cdf2d368eb1ff196610ba02bf7a664327001997119d1e28e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58752b.TMP
Filesize
204B

MD5
77fa690ea0df90b77ca412f47a2ee289

SHA1
5313879576641ca9e1bf052bbe2022e1b0865f80

SHA256
bb4b9a724076894f02c5ab9a606c8119d9a30daa8a75ce041815ac314ccbd802

SHA512
f9273396eff4a207f945611bb6f465d1d5fd34f30177730420c2789c0656626571193a62ae6edaf875c887d05ebc5103fc61f53c23f2dcf0cc9e364c6c9a7dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c63fdd1150f6022a986733158a3621d7

SHA1
773ddc73b0c86a6ccf3df2c5c9e096a68bfaa9e1

SHA256
37c974474317aa476b2ac6234fe9fb2f333aae5368dac6bbb9761a164746f9e3

SHA512
2efec48b38095365390d0511d59d6bc19075eb5a58229e9ed23d9d220a062b6150d8d3a0ccb463550131e55d331a1a9d247fcb2f7fc3d9f26f227f93357529bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
645136894d132ab74dbca32cca6429a9

SHA1
6620b33322d964a4c886f0b261cf824e56762866

SHA256
0abf63c86c1e4cb4ce027a99dfad4b633d0e30c4948c633a32e4401cf2529fb0

SHA512
3b1f130ee16bbf33d786388069b91c3e9290afe3cc82de66a253e7f26ded1537b02684dc14a8ff42611d5ed5a49d66b2f237a3904bd6dd714b7adf8c34c8ae39

Download Submit
C:\Users\Admin\Downloads\meteor-client-0.5.5.jar
Filesize
953KB

MD5
a0b533b7a94651bc9c0c7e73a5348a7c

SHA1
8c53eaf01e43a69c8621581cc025bb7bf3e39e89

SHA256
605262921d93862f8813ee5520e9b07bc6ed9646bae373e9768830f6e77f53a2

SHA512
ff63ac109841590edd54153415f83731a52975623627b7089e6ee24a1b70cc9ff0fb0b1ac4fca80f60ae6f39b8cf7c26414ee22f8b68b90bcda355b839f7ce05

Download Submit
C:\Users\Admin\Downloads\meteor-client-0.5.5.jar
Filesize
4.3MB

MD5
deb5a3c8b3fd1bd572c05b649099c12d

SHA1
9e3b48ad3e643bc4904f3320abfd359e83a8d99a

SHA256
f957dd8364dfc66794b08f2bb3ebdceec822950dae67fb588e8daf7f4a9b7890

SHA512
9873423c7bdabe7ef69c7994c28ba136e875b9ff76275b8f316891c8a24e6899ae74ce4e85887ff5dddc1fbdd28d2a21c172719dc132e3388f3a69818f538e9a

Download Submit
\??\pipe\LOCAL\crashpad_4816_ZBYERYDYFCWNUMFG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/236-355-0x000002126ED90000-0x000002126FD90000-memory.dmp

Filesize
16.0MB

Download
memory/236-370-0x000002126D530000-0x000002126D531000-memory.dmp

Filesize
4KB

Download
memory/236-399-0x000002126D530000-0x000002126D531000-memory.dmp

Filesize
4KB

Download
memory/236-381-0x000002126D530000-0x000002126D531000-memory.dmp

Filesize
4KB

Download
memory/236-357-0x000002126D530000-0x000002126D531000-memory.dmp

Filesize
4KB

Download
memory/1048-319-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/1048-325-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/1048-428-0x0000019C80000000-0x0000019C81000000-memory.dmp

Filesize
16.0MB

Download
memory/1048-331-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/1048-297-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/1048-372-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/1048-284-0x0000019C80000000-0x0000019C81000000-memory.dmp

Filesize
16.0MB

Download
memory/1048-356-0x0000019CF09F0000-0x0000019CF09F1000-memory.dmp

Filesize
4KB

Download
memory/2592-379-0x0000028BD2C60000-0x0000028BD3C60000-memory.dmp

Filesize
16.0MB

Download
memory/2592-354-0x0000028BD2C40000-0x0000028BD2C41000-memory.dmp

Filesize
4KB

Download
memory/2592-375-0x0000028BD2C40000-0x0000028BD2C41000-memory.dmp

Filesize
4KB

Download
memory/2592-383-0x0000028BD2C40000-0x0000028BD2C41000-memory.dmp

Filesize
4KB

Download
memory/2592-403-0x0000028BD2C40000-0x0000028BD2C41000-memory.dmp

Filesize
4KB

Download
memory/4544-307-0x0000028FFFA60000-0x0000028FFFA61000-memory.dmp

Filesize
4KB

Download
memory/4544-353-0x0000028FFFA60000-0x0000028FFFA61000-memory.dmp

Filesize
4KB

Download
memory/4544-398-0x0000028FFFA60000-0x0000028FFFA61000-memory.dmp

Filesize
4KB

Download
memory/4544-303-0x0000028F81410000-0x0000028F82410000-memory.dmp

Filesize
16.0MB

Download
memory/4544-328-0x0000028FFFA60000-0x0000028FFFA61000-memory.dmp

Filesize
4KB

Download