hxxps://github[.]com/moonD4rk/HackBrowserData/releases/download/v0[.]4[.]6/hack-browser-data-windows-64bit[.]zip

Resubmissions

22/08/2024, 16:27 UTC

240822-tykkpswhqb 10

02/08/2024, 15:47 UTC

240802-s8mblszfjj 9

Analysis

max time kernel
61s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 15:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
3556	hack-browser-data.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3500	EXCEL.EXE
4712	EXCEL.EXE
820	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1920	msedge.exe
1920	msedge.exe
4956	identity_helper.exe
4956	identity_helper.exe
4336	msedge.exe
4336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3944	7zG.exe
Token: 35	3944	7zG.exe
Token: SeSecurityPrivilege	3944	7zG.exe
Token: SeSecurityPrivilege	3944	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
3944	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
3500	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
4712	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE
820	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4920	1920	msedge.exe	85
PID 1920 wrote to memory of 4920	1920	msedge.exe	85
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1808	1920	msedge.exe	86
PID 1920 wrote to memory of 1704	1920	msedge.exe	87
PID 1920 wrote to memory of 1704	1920	msedge.exe	87
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88
PID 1920 wrote to memory of 4088	1920	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5ac446f8,0x7fff5ac44708,0x7fff5ac44718
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16971725551685120613,3856998244056360829,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1616

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\" -ad -an -ai#7zMap13275:124:7zEvent8867
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\OptimizeTest.bat" "
1⤵
PID:4560

C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\hack-browser-data.exe
"C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\hack-browser-data.exe"
1⤵
- Executes dropped EXE
PID:3556

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\results\microsoft_edge_default_sessionstorage.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\results\chrome_def_sessionstorage.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\results\chrome_default_sessionstorage.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:820

Network

DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

github.com

msedge.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip

msedge.exe

Remote address:

20.26.156.215:443

Request

GET /moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip HTTP/2.0
host: github.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

server: GitHub.com
date: Fri, 02 Aug 2024 15:47:58 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/273132277/4fde4ec3-b3b6-4c01-b6ba-d985bea9d9cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T154758Z&X-Amz-Expires=300&X-Amz-Signature=ddf1ba2465f38c157afae013e796b48fba73adb23b4e9cfdcf052cf510126e5c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=273132277&response-content-disposition=attachment%3B%20filename%3Dhack-browser-data-windows-64bit.zip&response-content-type=application%2Foctet-stream
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
content-length: 0
x-github-request-id: C58D:0A07:13D42F:157C36:66ACFFAD
DNS

objects.githubusercontent.com

msedge.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.111.133
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/273132277/4fde4ec3-b3b6-4c01-b6ba-d985bea9d9cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T154758Z&X-Amz-Expires=300&X-Amz-Signature=ddf1ba2465f38c157afae013e796b48fba73adb23b4e9cfdcf052cf510126e5c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=273132277&response-content-disposition=attachment%3B%20filename%3Dhack-browser-data-windows-64bit.zip&response-content-type=application%2Foctet-stream

msedge.exe

Remote address:

185.199.110.133:443

Request

GET /github-production-release-asset-2e65be/273132277/4fde4ec3-b3b6-4c01-b6ba-d985bea9d9cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T154758Z&X-Amz-Expires=300&X-Amz-Signature=ddf1ba2465f38c157afae013e796b48fba73adb23b4e9cfdcf052cf510126e5c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=273132277&response-content-disposition=attachment%3B%20filename%3Dhack-browser-data-windows-64bit.zip&response-content-type=application%2Foctet-stream HTTP/2.0
host: objects.githubusercontent.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: application/octet-stream
last-modified: Tue, 16 Jul 2024 04:05:28 GMT
etag: "0x8DCA54C870BDEEE"
server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2468151c-501e-0008-4f39-d7fb5a000000
x-ms-version: 2020-10-02
x-ms-creation-time: Tue, 16 Jul 2024 04:05:28 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
content-disposition: attachment; filename=hack-browser-data-windows-64bit.zip
x-ms-server-encrypted: true
via: 1.1 varnish, 1.1 varnish
fastly-restarts: 1
accept-ranges: bytes
age: 2041
date: Fri, 02 Aug 2024 15:47:58 GMT
x-served-by: cache-iad-kcgs7200114-IAD, cache-lcy-eglc8600076-LCY
x-cache: HIT, HIT
x-cache-hits: 0, 0
x-timer: S1722613678.332277,VS0,VE75
content-length: 4221107
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

20.26.156.215:443

https://github.com/moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip

tls, http2

msedge.exe

2.0kB
8.6kB
17
17

HTTP Request

GET https://github.com/moonD4rk/HackBrowserData/releases/download/v0.4.6/hack-browser-data-windows-64bit.zip

HTTP Response

302
185.199.110.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/273132277/4fde4ec3-b3b6-4c01-b6ba-d985bea9d9cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T154758Z&X-Amz-Expires=300&X-Amz-Signature=ddf1ba2465f38c157afae013e796b48fba73adb23b4e9cfdcf052cf510126e5c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=273132277&response-content-disposition=attachment%3B%20filename%3Dhack-browser-data-windows-64bit.zip&response-content-type=application%2Foctet-stream

tls, http2

msedge.exe

112.3kB
4.4MB
2089
3142

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/273132277/4fde4ec3-b3b6-4c01-b6ba-d985bea9d9cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T154758Z&X-Amz-Expires=300&X-Amz-Signature=ddf1ba2465f38c157afae013e796b48fba73adb23b4e9cfdcf052cf510126e5c&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=273132277&response-content-disposition=attachment%3B%20filename%3Dhack-browser-data-windows-64bit.zip&response-content-type=application%2Foctet-stream

HTTP Response

200
93.184.221.240:80

8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

74.32.126.40.in-addr.arpa

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

github.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

objects.githubusercontent.com

dns

msedge.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.109.133

185.199.111.133
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
224.0.0.251:5353

590 B
9
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

365 B
144 B
5
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
7b576dbb11f4ac62c38daf80c941585b

SHA1
1fe2a373726a715e28bfc1a93bdd04d67ff2e465

SHA256
0567f23da32d90da704a17e9cf11a226a82b46133ab787dd5dc065b52cf6d2ba

SHA512
8f5607696272a059220f76ed2f1045c2b8cdf4d307923bafc4f82cac31f9835c09706df4ea6ba9c903d0ad8c1f7fb429f4716cc7f6e12752671e9bdbe8fc226d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
2f7a10233d43fd65a905beafd23198d1

SHA1
dd6cffcb204a73a4aeaf65c93d3bbab4d636b703

SHA256
b48a82f046bb07868afd5b78845cc46b3aa7e44e8f017e6ee1d9e7e17dedf3e4

SHA512
f68a30139b8b668227deea9c562b0e8ee296ee718e425c3b852bba6ae60296b084481b366449bb06821a5c6c64b0f02a6cb29dbaa675b5075c39083af673e7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
00ffc0c31c5bc6da0b7d3301bf4ec508

SHA1
29b567ea66d868c53f386089c6c10882aa36d6de

SHA256
f49f3a01605229863ffd726f6ce028aad81e39b22e5ac9ce8b99f796bf7493fd

SHA512
544fd516ebd35d586fff364695287c288fde6368df554fae1f83ddb994603bec6e6c1235a9c24042554eed1e638e8b08d94341d4a8a12482c4f495f840b3b902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
608e09c2ef8493b91f65ee83740fa9fd

SHA1
9bccc654848dae3a54a5f1565731d9f1c59cdc38

SHA256
c314f945691b9f229c2c1a4a5dd91dd6bf4439d6a84c137a643d7071cc2ff2fc

SHA512
2d48c7fec8d258e46b67a4a8adacbd51170e61f2bd77269a9669833f3d95cf80227fe146d5d63a92f9c651b0687a253bbd32b0c69bb230842c3f51c103e85406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfc737b906e2d5e90897cd8e276c3e2d

SHA1
369a6b30e2998719239e1804bc755567f8c06aa3

SHA256
3d09f3cb6eed591437c481d73e6702e0918a115b46cface597057d00d9fe1614

SHA512
32868eedc6b05f5a732c06087606ca4a1238344a0e056d0d01230049e6b7fd91b110cf45aa4b8946365530f79cf69039db125ab0ea7ffca400a77c3e01efdab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
850a6a1dfa2e0b467b0fd917363a7cb7

SHA1
db0cdd911480aab9a43dfee55262e6c4d10e27cf

SHA256
d273ef348b9c3ea89bcf8f189aa60787014ac3e54c56b81594f931edb46cc272

SHA512
24e73e8b9b25843b0fed52a7ed0ed4e45179a8280faabc4d5d3c2cd547fbbd9b7d518f4d33832bb237c83720877e27d585216d10e10af518575211a31e1da5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
99B

MD5
ba92e5bbca79ea378c3376187ae43eae

SHA1
f0947098577f6d0fe07422acbe3d71510289e2fc

SHA256
ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

SHA512
aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
dbea6dfcac4cf178a38696bf865bd7af

SHA1
3b539dabcba8cdf60560ce950decfaf8a22993a6

SHA256
d63bd5d2b91ce55f6fe17af5a679037360e4810d05a1762f37ac47957645b192

SHA512
53297414fa7b77e4f5de8e47980e17b0aed2409d697b1a7c223ff108b864fc075ca7eec3052f6c8f6548926b50321c43d41fbee7fb148a3048fc2da19faa13fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
717db9a9ef2681c528315d157b37945c

SHA1
d7b06b82acf9c4b1cf5505b5568bf15e9ceb3e6e

SHA256
a6a085171de51f78d4f7acb5054a0d4f9dbd35aa20d2051b62138704c895a1dd

SHA512
f85861e30930c348924842a8e0e02a8b8c490ef9e5b4f85386a8717c3227538088390578d41454765dccb1bd10506cfd650c3b3629c8b5430242c8cea262414d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
8c185592e078af30a5a82077f367e1d7

SHA1
2e4aa70a4a6bb3fcc66fa9ef3717f86d3fdc5e2a

SHA256
e4e82de151b374760a6b97fa89ac804dc222664d9a493b19082ce47019c0e94e

SHA512
cc2f996472630e95dbf9376c71c4ae1a53f21f90d771eb9b8d0e3fd6a3695b2a981be8961b2edf23a81ec623e0a5fd0b3b2e17ac4f71b77018bad6b7301b9643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
c040b079b07f3fe8de5a32c13a993eb6

SHA1
ab435eb697c5cf337da61d57659f719fc375e753

SHA256
aa2e4a947bbd599e719a5b772ecc39dc1713fb54bb314816fe35c3227f888f89

SHA512
8f35fbde9e9834b4741870df0e432db808a095f41300bdb6bd96b78b84da87304cbc47f8cf6da8ce902be16930fc203546de2f981a930c02b3f11d4a0fe33fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
10ded346ea6e4972d4a1f5c3063040dd

SHA1
0fc814b00ce7b0ec379db9f93a9fed34be2e41c0

SHA256
d09f0eb5f35674c60aa2982f1171fad0705eb5973a663da7d4b8f8686c2a6b5a

SHA512
6fc3900035fb87c6a4d6e529b987eb43492b7baf4b96ce5e94d8456ba21c1e2929650cd825a64cd8a7a0c011bf439637f7e8762ecbf092e33668302a3af0c19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
7710e9e748dde61d21231fb4039f428d

SHA1
5f689a872b45a52fe2b9367be0390e339051016e

SHA256
8b6cfbde4e922df0ce373ad1026de91eec6071ca789c9373519240664764d2ac

SHA512
756c2917793ae82c125d01ed927e6f01e761c4bd6a358a5e55daf9a3339d751d68e3a3721a5842486efb5f59a283d7fc1dc989cee63a0f74ed62702c82b3ad60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4d1cc662c5b1f7472b97dda98e5bd6d8

SHA1
4e72e7f56610841cad87a3f6451c482482d1b347

SHA256
c8a849fb9dde7550ac5cb3ec0aa221e485eafaf0d25fa5a42f7a58dd515e8002

SHA512
710cc959ba67ea9c6b6efb352597bcf0da1d6edf8bcfb9841d9505a7b1d4ce1fa3e5a64798837bfefa504fc1408c87e45b8683e1aba04d21101ae16490d4b910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9f10b88745d7b2cfaf5bb2bce87f238d

SHA1
aaeef5a44e8749b8515551e661dac16dc09acd97

SHA256
bc04bbbc4cdb94ae930326916c1266993c07e6ab8a046821952e924e242d4b12

SHA512
d91178a8a599061ca8b4c3aa1199993702a39d64eb1720bebee06015d100286eebc27521e27b2bb8a679000964226adff14616a3b1e7fd8993010185fbc07379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
518e579a5560c418792a5186f98094a6

SHA1
4159cab0cc6e7de56d69bb9179605c94835e66f2

SHA256
43ddd98e653eda36c66f67dc62242a0e21d618dfa438867bebc40f08d3edcb21

SHA512
031e43b8d51fc4fc50c09271568bfa910af61f6e661753de8ddbbc4b3a52b4812735579ba57a4105950c0d2b72642a117802ca39a4d35564d82fe2247ac1c865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\000004.ldb

Filesize
141B

MD5
800964100bf5522029908e4d62c8cb86

SHA1
28fa46ca8b867b24975ffa2e164a08dcb8c3838d

SHA256
4320e36c155668faf70df6378ed4748e176a45f9b38996f5529fb8dbaf7a46be

SHA512
511d001b6a05f93f113924a60cf225d03811527a2fe915b25c0305fe64f8dfc8600ae67ebe51246852eb11ea063621801c4e028292626f49ddd989ef0b245936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.6

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
428B

MD5
01a886cd105a8477fc4c8aa00d5a0f38

SHA1
d31e80314b52ba60e4ac6e313193f03906b62262

SHA256
155685e7e2c97206645082849a7736fe8a9a4aea9d820525f441783b18197cd1

SHA512
cffcb81862827bec55a0bb119fa78622040c3c62dff5a31ac3f51cce886d56944f55ce0a938acc076a9c3cc2ecd21a6af45b6e2ba778a70d99526d845ca19169

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
502B

MD5
658ec5a3da07bf495b04886dd3df1faa

SHA1
d78c19d8fd03b1012126b4e8a536f5984d9eaa0a

SHA256
afcf84ed4b98dcf2c7b91d39a8149701fe0e9271828f47ffefaaac75106718f1

SHA512
c24491fd4017be13fa1ec48b37ff644397beb9e762aff91716f0d3088e17f5fc777f2cc8d0b70c55d3e307484814bb72572faa27cfb9970af7f225095d4af796

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
584B

MD5
2224e6a9ad13b89f96bb530bf434835d

SHA1
0e4d2b13190cdd300beed49137705539cff2a20a

SHA256
51e829522b792dcd44ea967c873c2a0127170389ed2d136d364a0d548a5a6348

SHA512
e320bfbb826f2826b5578b95e58bc87ca15d97b97369d4b6524338b124fe370d4f78ba826dbcca3e08bb8eee9ba268b3ea15abb994aa8311da8ddce758681ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
c9f255f442037f6c6615fc3db3657643

SHA1
c41c5d62955ffb767323a2252ffd3ec3a5121f29

SHA256
43873b355463cc34f80e5ca5d23797ef9f5b1f16dc607394abc2b130d8575696

SHA512
60b7c2acf1863201a3a5af960714a5194639bea930b63c8ad5fe94c535efbb87baaedd267fec4032b1cf0ba055c028b81001e51190dd2027dcee02f7dcd64595

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
449ee19b254a9f4625b7ad0cee6c4212

SHA1
53f6292050ece25611d33fd422fdcc4c4ff66b35

SHA256
8ac724f47cffb7beb6c5043894ac8138401bdf3bf5c2a9ea7a435376344e94f7

SHA512
e0d18f99c70364c8f76a405bc0bfb3bbba0417ba506eb4e97cd711a3eef915c021a8501f4b44a076b5f0730867d7bda6b317eeebd8e4f0c5cc31207fa78f9c09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
2e468d9cf0d133ec6336c3d46782e2c1

SHA1
7a81ce2436c08e605536546e6cf004eafb0312ab

SHA256
9de9c303ec88efb3f4c74be34efb057fc535cb0e1bcd4c355f2d3f43038dd001

SHA512
c4cb261b14b91027e899dfdb3fad08126d1ad0a7472fd46bac3b641738145a2c9318a143360466e0702683052fc6b7387a1914373d39a8dacca6b57a4fa978ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
6f1142c1fbd63aebf5e3b04099af75bc

SHA1
f3ad90f15f54e32d633c5047a0aebd7b453b5a45

SHA256
3fa34029527abee5cf0e276072e8f38d108a0744d02c05158ad5d32d7554cf08

SHA512
87f05b9d78d0a1d442d2a06a9d7182c26058261527495f5f647eb1122e07f71794fc8b5d190052e0c3bd73b5b31573ec836a8247eb13b1929ca448c5a3a7e0e6

Download Submit
C:\Users\Admin\Downloads\hack-browser-data-windows-64bit.zip

Filesize
4.0MB

MD5
943539fabf89133835889373e695af33

SHA1
9d36a7d090c79dd55f9a759bd0259358b68fa1d1

SHA256
57d611717398735e11d600d1b1199a73c3fb349725e699ac97aba1ec47a24fab

SHA512
c7f3a4d859081e9f5b057eaf785f3025bc43c5909fc297dd91e0d842f2a7685daa32d17c2a6b42f1a585982b2f6c5992c5f291794ceeb7b1abcc614ea8912483

Download Submit
C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\hack-browser-data.exe

Filesize
9.3MB

MD5
7be18f7881115b4b9fa5b19bc5da7e23

SHA1
838839f163f8cb146ef9078956fe9a733d096299

SHA256
e28e65b42f2596dc34c9845728e4ee6884d3e42b20397a9c4fcbe8cd63f8c193

SHA512
50e8ee8c98f151cce3e7ea6a1eb5952a97d49bac553cd684e9f4d2bc631d41a07186b3ea412f8704873b00098513408f08d3c3229a52ec36b5592238650dbff2

Download Submit
C:\Users\Admin\Downloads\hack-browser-data-windows-64bit\results\microsoft_edge_default_sessionstorage.csv

Filesize
34B

MD5
d07886f7107c50304e1b9cde0793ed04

SHA1
41453a6e9db25a06b4ef031c12fdcee8a3818741

SHA256
963b596f0385f5be1b8ad2f7e5b4ff474aeb1a1a8d17d20ff67a1cd30ca70344

SHA512
a917504c89a8ec7b8fc5d89a683fce01ce45a160dbb98861cc2432c221a2f3e7aca15b7325967c171e2de2d7ce26ffa01ecef49c7b896b1a16daa5a3125eb4ca

Download Submit
memory/3500-246-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-328-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-327-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-326-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-325-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-250-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-248-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-247-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-249-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

Filesize
64KB

Download
memory/3500-251-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

Filesize
64KB

Download
memory/3500-252-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.