vidar | hxxps://www[.]reddit[.]com/r/Cracked_Software_Hub/comments/1fo875c/tradingview_premium_cracked_version_available_for/

Analysis

max time kernel
173s
max time network
340s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.reddit.com/r/Cracked_Software_Hub/comments/1fo875c/tradingview_premium_cracked_version_available_for/

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral1/memory/5052-415-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/5716-523-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/5052-534-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/2228-556-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/4000-574-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/5716-614-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/4000-724-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7
behavioral1/memory/2228-725-0x0000000000580000-0x00000000018D9000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	HDAKFC.exe

Executes dropped EXE 11 IoCs

pid	Process
5232	HDAKFC.exe
1996	HDAKFC.exe
1792	HDAKFC.exe
3116	HDAKFC.exe
2192	HDAKFC.exe
6032	HDAKFC.exe
5684	HDAKFC.exe
5852	HDAKFC.exe
6036	HDAKFC.exe
5692	HDAKFC.exe
6108	HDAKFC.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TradingView Premium Desktop.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TradingView Premium Desktop.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TradingView Premium Desktop.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2940	timeout.exe
436	timeout.exe
5496	timeout.exe
3508	timeout.exe
3240	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2260	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
4660	msedge.exe
4660	msedge.exe
4488	identity_helper.exe
4488	identity_helper.exe
3528	msedge.exe
3528	msedge.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5052	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
5716	TradingView Premium Desktop.exe
2228	TradingView Premium Desktop.exe
2228	TradingView Premium Desktop.exe
2228	TradingView Premium Desktop.exe
2228	TradingView Premium Desktop.exe
4000	TradingView Premium Desktop.exe
4000	TradingView Premium Desktop.exe
4000	TradingView Premium Desktop.exe
4000	TradingView Premium Desktop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4556	4660	msedge.exe	84
PID 4660 wrote to memory of 4556	4660	msedge.exe	84
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 2904	4660	msedge.exe	85
PID 4660 wrote to memory of 4812	4660	msedge.exe	86
PID 4660 wrote to memory of 4812	4660	msedge.exe	86
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87
PID 4660 wrote to memory of 1472	4660	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.reddit.com/r/Cracked_Software_Hub/comments/1fo875c/tradingview_premium_cracked_version_available_for/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,14755040523241585038,7068528813297035620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5304

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5052
- C:\ProgramData\HDAKFC.exe
  C:\ProgramData\\HDAKFC.exe https://apklight.com/clips.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5232
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:3116
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:6032
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:5684
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:5852
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:6036
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:5692
- - C:\ProgramData\HDAKFC.exe
    C:\ProgramData\HDAKFC.exe
    3⤵
    - Executes dropped EXE
    PID:6108
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\ProgramData\HDAKFC.exe" & exit
    3⤵
    PID:2468
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJKJKKKJJJKJ" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:180
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:436

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDGIECGIEBKJ" & exit
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:5496

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DHIECGCAEBFI" & exit
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:3240

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAKEHIIDGD" & exit
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:3508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\License Terms\License_SQLNCLI_ENU.txt
1⤵
PID:5984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\DAC\bin\en\License_DACFx.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2260

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Client SDK\90\Shared\Resources\1028\License_SysClrTypes.rtf" /o ""
1⤵
PID:5388

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Client SDK\90\Shared\Resources\1033\License_SysClrTypes.rtf" /o ""
1⤵
PID:4968

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGDAKEHIIDGD\EHJKKK

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\BGDAKEHIIDGD\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\BGDAKEHIIDGD\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\BGDAKEHIIDGD\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\BGDAKEHIIDGD\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\BGDAKEHIIDGD\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\BGDAKEHIIDGD\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\DBFIDGIIIJDB\IIEGHJ

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\DHIECGCAEBFI\BGHCGC

Filesize
20KB

MD5
fe1b8a9870d1a023ab7381722bea49e9

SHA1
70df8c4ace452d16d452742a31c37f59ca395131

SHA256
89aeea796fb240533a81303f169212ed4e1d29d208a18760696b5b00a8b73146

SHA512
5f00d00c184042e9c067e0404a4ecbcabddce8173762d07b58ca4d122c65405a24abd0bbb64e3f2f2dfc84d23ca464de30df1c177b22ed3591704fc7ce9d7004

Download Submit
C:\ProgramData\DHIECGCAEBFI\EHJDGH

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\HDAKFC.exe

Filesize
7KB

MD5
1fbd01ee768b7c4abfd2783a4707a072

SHA1
15288415ec755c2673da3c716386abfdd35aaaed

SHA256
0a6b558dc092b4f6bce802a6407fe468f7b973c82db36e2d7a0d0db5635838b4

SHA512
200e9ddc345d9a9014e4b8db1db4647ab247491de20deea02ee65a032f62c67cf46fa46fff19b2e2059ba9274a24d9ad12c55b14af9da2ccfb355a40875a8c5d

Download Submit
C:\ProgramData\JDGIECGIEBKJ\AECAKE

Filesize
11KB

MD5
92d6649fa8312412b8ae05f7398a3b4a

SHA1
ed0a54121eaa7ede59d500e314758de20379e7c4

SHA256
fdb0f64ec2463b53bbf4a3186e30efdbd6ff5288d164342b39ba76661db73901

SHA512
c2745bcf3933c3a4b7321bb5429be6f6c0e833d7bb7a515a3fd1be9d241b3fa09fe81005747c20107dfbba799d518e666d9e654b6ade67a918c988652982ea44

Download Submit
C:\ProgramData\JDGIECGIEBKJ\CAEHDB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JDGIECGIEBKJ\FHCAEG

Filesize
114KB

MD5
013b18b14247306181ec7ae01d24aa15

SHA1
5ce4cb396bf23585fbcae7a9733fe0f448646313

SHA256
edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44

SHA512
2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
a58df3afef045ea1a982cb0159c6e9de

SHA1
445ef8e42a0b1518e9bce922ce89e9b0ca9ac4d7

SHA256
f0de707b4cecd7701b3afe2ad6117294bad8bb3a0f71a30588714b4e68aad275

SHA512
428019b0c8809ec5ee0e6976446c966e36bba21d0db35e59c48249dbc49ebbdb6acb5ebbacf0b1ac904d5532ffbf572d8f9e1d36894f014517a9881b0d445980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
14b62f2f78f135997c4d74195731e32a

SHA1
be1699aa39ba6aa6967ff4f6d88a2bfaf04c6c7d

SHA256
92d274a5c37d1869bfb3f8213dbce09999ce63b6cd4197063adec0c704102268

SHA512
85b6a723748e1a4e117e54b0a6f0b3d7775eae9d1d023f6556b6707b6013ecaadba8b68e27fff9d45a80650fdad38c1e1ec63171b65add487b88df3d0906855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
925ffddca10921d351b4f2ec18fc23e5

SHA1
7a63fb2835466594a0c1df3079e2a9360f76716b

SHA256
913cf59cd1638590436405303bb583968925ebe45b78b3e4e7270270f9bd2e1e

SHA512
124861435f6c46f2671510f0040c76b6386585f868a1f917e4ad462584a7563a1d3968d2489be627d88257141c733ed6cb4d49f4cd2e1643cbe148b929a6cf1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5171d9af14f46ad260a510f7dcd8ff06

SHA1
f1941cdae29733fef4a6e4ae8bf0dbd30abfe8a2

SHA256
09f1bb83a3c279a2494062acdf7bea9a281cf1e28a08e372563d2c45763fbdc9

SHA512
48c895f93a435589c337aaac48951de46c8a58875b1f88015c88f655cdbdbb0fbebb9d7541d74a4acae7e528111bb7a1ad6369a90b80e00aeed25301a951df3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
bf3a037c982ec338bddc26fa1c1bb1e4

SHA1
d91e1bc23ebb027802257b4b6db72bb98ef3f039

SHA256
c4047cc0ff47cd242aa87fd8f3ec12fc4d06ca859606f7f9079d0de5395dde96

SHA512
c49339e3e34c87deb80cb0b1811f7764718cbaf62d471bad87f71e27a3026ff979e4fd6c4cc8d5c9a1c3025d003679664c5c2a127bb99608f34fabdb49df6738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.reddit.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e748afe29ce7bc21f069d44c45aae7bb

SHA1
248661676349401fa2de528936ea81233cb6ac6c

SHA256
5146e90dc39580841c88d847ee3db4c343c2a5f483623d069b0bcc21ebd75a49

SHA512
43301c6cf25a45f6d29772ccf9a0181adb6ff25f9352386c9743cd101d2577a20d60a2cc8a21eba448f337866d3a7b6cdc92a808682fe94e69589683ac99067a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
98580e4ca5d85401c7f9ca804ffbaf4e

SHA1
dd517a307c12038473a31728a794b02a2f3d5503

SHA256
920b4e1c75e8e27f887f28c84afae30f2026ebd4ea0b7b82766055476c7fec09

SHA512
d31ef61f21e849de940adf41d26a05478a4a331d28752657ada220da70ac66ca28ab77af944e995020f18130d84dd75d1fbe3c4178b81ef8a9d4102496b3c79d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca6cffc08b7d10500e7d8e289a717439

SHA1
0744455075845578cf657fb6b71feace513e5de5

SHA256
8d967e663a44c89c664e2d706cbe2a63e73b2987b3610a660bdf8a565b5a516e

SHA512
e80e1b5ee3f708a3487147d422d0eabfbe25b16a6875fa10191435b06c437329021ad77a88cb5b63ef83dcdd96be156b4495e1f673830c7cf713e08028c2bd6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1fe0a92a86b051ac2b15f84361658081

SHA1
913f17a518ab9f8c6636088ac6a763712e38432c

SHA256
cdf5a1a4b55b6d98e2a52c8b1e1ef3e266027ac223f9070b9c74ef8a2e772dc5

SHA512
f8ff7f810c30b1086139c6f3590230268401e4a346f6964663ce5ff7ccd286fb7e31fd61afbf4c23cca4947fcaf366e7d4abe5b7533aa7a0bcbaa25de66d155a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d3414a507b4bf2e3da02a0377e19baa7

SHA1
9652ad61c4d4a5c9b1991bb208b6ddca5facc101

SHA256
36e01e418b0ee0312444a9ed25589303508f225d477e6d7eb03fe412d9b71c4f

SHA512
3f21f287551d25b42566a8d9c81afe3e9cd29f7878a61a2ca918042c73e82e4af18a57565f9cbb7ccc31c46429f213460c3128a8f41edfbf38eef9a17fcbc573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c1641a9952cd1af7dd2cca252def3351

SHA1
09e10b3e400403c2bdf138e7def3178c9f2838eb

SHA256
a237b4ea62814e6049695e98af515b40d115a1089c080e54ae1a620aa6f6969f

SHA512
3f25d4e6cc7330bd9ca12b5cc2edf79375ec30f0146229537360694b680cde0ddfee1e4d18ac309dd841784dcd9ef13301ff2871f48a254578593b1fd5b1445c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5342d3118582f7c199cf78da5767c708

SHA1
795071f54e9c497d56b2ea34a6e5d94d2f473421

SHA256
1f8ae11ce1ac492660af7e7d1a3e355b89e7a956da528bf1200f06c66dcb1de7

SHA512
1789d8e1a6c93e67a43a9ca76c06cfae9c0972522a14ed0e72d25924d20287e63afa47ce2c87719f73e852e9308e9ed42cc87ef43f29af4a483db71761eff8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6375b5533daf42c9f286fb75071a78fa

SHA1
6bd21ad90012f01cacecd785456fe6cca2b1592f

SHA256
cfa8146988083677dd4ef9bd307f5de7a49d163d0ca234808583d27843e7e873

SHA512
8452c184b0c42bd18324642bbb7e9a6db91d5b165da8d0248ebd16901cc0e517c71a75df903c601311a45162a6ea784eb4bdcb4ba3d033cc9b879a504c039200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f5f9.TMP

Filesize
48B

MD5
d0e70c3ab2b972e727113b319301cf16

SHA1
71d5abbd57198cc793eb6e8c5b64f7327c8d8de6

SHA256
f5d66edc6fdceb41687023f43957fc7cbaf080d17e12f9cab0f53037e8ffdab5

SHA512
504e21a25ec01c46db368b3b1a50fb752f92703654e63d1705f1b39b03bf3fe3ef0171687007ef098df0e2c7cc9a897116ec63fc10db0355d25da8992f343ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
7ba876074dc0d32f09b05b2ff2162666

SHA1
76b1d3574fc025694b2c161d16915ec0ada6f38d

SHA256
6039432b24b7a3ec616f4d3a84b610b49d97680d58b145a8e3fa7443233ae348

SHA512
969e0413e326dd37dd267fbeba23f2343859bd9fd155fbe6cef13c50ad8b846395d5ace718ece9468ca131cee97c847467ed023cd41854965202fafd828ac8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
531B

MD5
747fcdfc1a1e7ccb265ee8389a0d43d2

SHA1
fb9af1ca79c32f1bc4ee446fc645a21a7b1aeef7

SHA256
a69020113932dc41a1f666ccc3a40b62b101dd65b3a4bf3fd857c38ad2594331

SHA512
0629bc84612b83df160a2d4f7ff270c836ef7359aecc39eca1903d1aba0ae029d301ab1e4585c997b4cabdd8648ef154fd8df586a2a2010d708df53de661639c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
533B

MD5
38e8e91d292e55e3657dd9eae3fdb484

SHA1
7a79a43a87a746d478bb1eadc19b48f7bc4820e4

SHA256
8e3a620443738db45cc4beb42759df7c9bb4c355220fc1026c38299a89f05b61

SHA512
ed7805e4493d6d8f5e83ab5f15d5a12d651b06ac14ab54be0462e33d92f83bdaf2882a853fbfb5b2d76a5167239c15e66f6c2ee91392e2cfc5a762e200447240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f741.TMP

Filesize
537B

MD5
947c437d1434345de6e1ef6adbd45434

SHA1
17034b14ae8b7c4f6efa6208c93e482ca634d961

SHA256
f0874a72e8fe7b30567f22c6e1c4472f43d628f61d14d2e60502e668f10ad7cc

SHA512
f1f42786663390e90c293f5a03e2230249e0f42aace4a9202969948d5584c8464fcff371bb5ab391aecddc7108d61f858c14d9da40fa0cf66b570c50d2011e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
376a94f610675f1e0582b8f2c2387b60

SHA1
e5716dd5ef64b21ac5b99393a481534d3d10c02f

SHA256
89bb33070fe38afeb6eb3253d50e3ca031993b5ec937a2f78c2019813788042b

SHA512
4bdefb617a643dbc1ace03720619a4eb0f9d037da9bebdd7c77fcb609a212f718b2c47af28d98e7a41211482cdf05cfcb6f054cb0922998f94d6fb8e6e4b6eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4bef0bbf450bb805aeb0b625609f5efe

SHA1
de7d6fb81d5c8189e2897d07e09708b37c2fe606

SHA256
a229e0593f478395a18d2d027116ef577ed411ef01fad466e970b30a0a7b1c15

SHA512
d07ce8c2527f37a441b9a5b518d6a1afdc69d5bdefb45fac7c040adece9c90984d53cc84678fb5c869c2dec4da21f4c3ab5829e81c07b87c74ea1f228c83e3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF009957-EDAC-4EF9-BDFB-B97E22461D2A

Filesize
172KB

MD5
1c5eca94f02dcb8f7b9afc5d6361bd28

SHA1
04250efbd76b15ead79e838768dae1a578c874a8

SHA256
e8186a330700b3ed86cf915d54cf805888ca6548a96d59f7a2aee8581f34af34

SHA512
b2ad5f32236e704328715fd3b662730ea8c377a109973c72e42218e8392f96741dfb72beafe4f1cc205cfd25debd1ad527b63f2265fa70f55a4669e0ba3b23de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
ce96199ee6d2b5c0bfcd1af43f42159b

SHA1
43bfa2df71206ae6367767624d88979bc3a75762

SHA256
27807274597bcb13f25a3f5a444b7120f28026e4b19b3815a9ee47fa2e5e5eab

SHA512
d7f25a993406e5d2bbd0edf61fd53f8e072de4ab63ac35e78054f899ae67253d023be763ed9c0a65479afe8d024f22e291921768505f92379f5a2b11fcd12cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
57c94e77f3966c13f8aed6384e728652

SHA1
9188a396c44c53298a318eea89067faafbbf291b

SHA256
05396cb33d0bf000d7addc983cf47b1c71917ec7c7c575269bd61b02f249cffc

SHA512
e3a33891f36003bd728f2da0bb0fdd1aa545010a2d0f539cc1b8e319c022dc3a6a9ede44352772c3ad869ca8067b9e538f8d790e77cd7fb838b6ade8e05c788e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
52e85f51f22cfb076020ba3f886a7173

SHA1
4d17f21277656cd06a2840ef6020cddf7622145f

SHA256
d5b02cc3a55a614a9717f83ef791c3693c583a6e71e13fdfd74d4f78c100d61f

SHA512
cb582b6d5c4b5979268c0323635ffec6830e9166c8a694782d063d9e284ca084d4c042d0f017af455279c267974f125027443325779e02f50083f45d1e0c9acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
dd3689caa76265f94aa119fc0b6f80fe

SHA1
b9f63c2db39af6a28d43e1743f34b6f2db0ea46f

SHA256
0611916900c3a204bb249685233dfa9e09b59fddfe57abb2711276f2d814df9a

SHA512
b90c0a8779e893df33178c9a856031f931f8c394c519d36538bfbcf898f19312dfacd8de958cd589a70a648cebd9d6f7077be4db04e5deea02ed664fb6901dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\76561199786602107[1].htm

Filesize
35KB

MD5
14ffae672a9ee29f47326a4386826702

SHA1
19e3c7eadfcc37623a317516db2cbc5662c939e4

SHA256
cd919c1ebb6ac808429461e95332a555b153c6cf954b89cbc51fbeddcbe6137f

SHA512
37b0d8926f82fa99f542c43ef907ccb9028ba97b40a15c42eb8f755a4cf5360e5593d922f386ac55f3d746a4165fe33093c8cfb10006f5f17dc72834a2cf84e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HA5FC889\clips[1].exe

Filesize
3.2MB

MD5
591e2268cf72d349e9b46eddeb65db1e

SHA1
682f4e6840ff963a142e551a9ffc522a50826d61

SHA256
b94f9fa3f084671c30fd0f2c660d580046a480a8ae2790d6da29ab092973d36b

SHA512
f3a537dd310c41f491589d90dc18e97bff5bb16358ccce104ba1fd10d6c026dcddc955c65a19b269fe3a88d0b6cff94e71a68300107278b152c0b831e4c34567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HOI3BGS3\76561199786602107[1].htm

Filesize
35KB

MD5
3be544f9f52df59136496eaca593c55e

SHA1
5afaef822af4fdd5d31549132627c2f50e13a157

SHA256
3619687756648a2be7d34576e9b99890b023541922b9e58feb8a0d35d4fea613

SHA512
e2bdbcc6147c7785764a46c5ebdb34756b314c58ec4277758a67df3653a15597e1fa1431869dbd4988a195bf1ec8dd9987b7672263b421540b6b9266830dac7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199786602107[1].htm

Filesize
35KB

MD5
3b3bf7140705f6420079870e4f53d6f6

SHA1
2cd8a33289b94ba46a85315bfbc92915fd7ca1d0

SHA256
95bd212e0bbbe99bd1fc1734870202532d07e87c85e99feae05eeaaffdb8c663

SHA512
1fef872f17e3a1a75cd631e3334b3430dba9f6a450d22ee643cc5d09f65ae219e2a36f8498e8da0e984b79da332b7c374928fd3ca3c9b6975317cd15b18cdcf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199786602107[1].htm

Filesize
35KB

MD5
98cf15d9605761068a98b080a4481d5b

SHA1
5234bf28d6ab7035148feaf7963143a3cc69034e

SHA256
9f7824ba856df0ee22276fea3e4fc18370928c762723453dd4c2fc0c8738358c

SHA512
2901baf652de7096875143c6e949c1e28aa6cbe3fe6b6dcedc39450c211e9e0125ebececd419a8ab6f634c99f511fb8db2ca6cc9df039ab7bae78baaa550be7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\License_SysClrTypes.rtf.LNK

Filesize
1KB

MD5
3ee51dbfd8b8666ab8ca198bb68623fd

SHA1
e743c814b048c4db3fe95cd17076e42e941a7e00

SHA256
e7ada56ad8a448fb7d9d27a24d9eade09736f821e10682f13fdf30b33b8241f1

SHA512
682c8438be22b19aa1144415c41c0dd3024a26cbf739091ec734c9c7220a69b22eb7dc2cb56d7512063e75beb9a8f84c2082e6eb4e5b4ea2ac6b37255263bee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
405B

MD5
e8bfc000be8cc62849491074ffb04ac0

SHA1
d0da01d37c44746469803f43a7920daa1af46faf

SHA256
6038ccc33117534f2eaa8953c17b6be6c2bdec965504fa65cdcd7d7d0ecd15f9

SHA512
bece249db2415427a8560f76526924948064cac94a27df69a1aec28ad8266246e308e132715fe794f50a6c14fe38925a269f9a5b8c17cc2a23b7834a278d93bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2228-543-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2228-556-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/2228-725-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/2228-542-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2228-541-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2228-540-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2228-539-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2228-538-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2228-552-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4000-572-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/4000-573-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/4000-570-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/4000-571-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4000-574-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/4000-567-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4000-568-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4000-569-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4000-724-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5052-407-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5052-408-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/5052-534-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5052-415-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5052-409-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/5052-410-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/5052-411-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/5052-412-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/5052-413-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/5052-414-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/5052-434-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5716-614-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5716-515-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download
memory/5716-517-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/5716-518-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/5716-519-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/5716-520-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/5716-521-0x000000000A510000-0x000000000A511000-memory.dmp

Filesize
4KB

Download
memory/5716-522-0x000000000A520000-0x000000000A521000-memory.dmp

Filesize
4KB

Download
memory/5716-523-0x0000000000580000-0x00000000018D9000-memory.dmp

Filesize
19.3MB

Download