vidar | hxxps://cdn-config[.]com/activator[.]exe

Analysis

max time kernel
88s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn-config.com/activator.exe

Score

10^/10

vidar fc0stn discovery stealer

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1804	activator.exe
4336	activator.exe
3100	activator.exe
4700	activator.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 3624	1804	activator.exe	133
PID 4336 set thread context of 2384	4336	activator.exe	136
PID 3100 set thread context of 1184	3100	activator.exe	139
PID 4700 set thread context of 4956	4700	activator.exe	140

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 895213.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
2724	msedge.exe
2724	msedge.exe
2000	identity_helper.exe
2000	identity_helper.exe
264	msedge.exe
264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	3728	svchost.exe
Token: SeRestorePrivilege	3728	svchost.exe
Token: SeSecurityPrivilege	3728	svchost.exe
Token: SeTakeOwnershipPrivilege	3728	svchost.exe
Token: 35	3728	svchost.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1140	2724	msedge.exe	83
PID 2724 wrote to memory of 1140	2724	msedge.exe	83
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 2464	2724	msedge.exe	84
PID 2724 wrote to memory of 4340	2724	msedge.exe	85
PID 2724 wrote to memory of 4340	2724	msedge.exe	85
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86
PID 2724 wrote to memory of 3652	2724	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn-config.com/activator.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa68646f8,0x7ffaa6864708,0x7ffaa6864718
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,15750247050590744209,1543505335629532129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:264
- C:\Users\Admin\Downloads\activator.exe
  "C:\Users\Admin\Downloads\activator.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3688

C:\Users\Admin\Downloads\activator.exe
"C:\Users\Admin\Downloads\activator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4336
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384

C:\Users\Admin\Downloads\activator.exe
"C:\Users\Admin\Downloads\activator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3100
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1184

C:\Users\Admin\Downloads\activator.exe
"C:\Users\Admin\Downloads\activator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4700
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\98DAC58D087487146B87454EFABEB371

Filesize
345B

MD5
c28075b9856e02d678e3e9a2c3e64555

SHA1
3f8b479ee939792982cd4373fa4678aae358021e

SHA256
1874ad50a09ea5f68f3e83edd74a6d9943ed7df3a97d95b1c7a62925e4803c2a

SHA512
d4d754db63fc0af6474c51f229b015044492be7ad49dacacb8bab7f9ea4708c0cd5c1568bef7772fc33574adc743a6d8b893e25c485120d3ab57aeb5b56a964d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6457cc5eb2b33db22d72856b6f489e28

SHA1
7801f8873d728fac287ed95df9481b21cc246604

SHA256
63067640ad1fdf85dcd3d5ff5403a2eefbef7f678e7dff3b8a934d85f590226f

SHA512
2badb28375fa6ed3b0c7ff4911a9895cfb22fbe8bb5f53d5545f85a720469e2c4f494feff21b48e2eb65530cdc8d9b7b782190749ea2d8f01992ca2885c6e4c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\98DAC58D087487146B87454EFABEB371

Filesize
540B

MD5
6932c15a5c136da9323469543b0b998a

SHA1
d1fec654b4af1a1d05c4c7f2bdeae0ee066340d4

SHA256
13a2a856dbfa468e592e5c15beb274b4b51c7a47123ddd55f3cf22acf7f789a4

SHA512
9f1c6cde699903cef8707644865ab325f02397942a41e8e2fa9f44ae6b6f8a135d7b54ca146db115e3e88e23162e74300ba20b1706758243bf0562fe188ccc32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\909ed66a-6a43-4a4a-9a55-c929af4be819.tmp

Filesize
182B

MD5
15e69ee34d1d6343d90360da56927b68

SHA1
1649494e5ac64099fa92e013c9e4d52c84921684

SHA256
027386654826df87e7b2d7e60c5c4942bd9d7b4731aa6e75093a34dfd5853f5c

SHA512
79f2fe167cebcbd29748ab9a562e96e0c8f9d54cb9bcfe80649d272b17ebb6b20c66519448caced109ec8b1022aff8d34ddfd948fa8f9e8c0463ecf98240c6f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64dd175a6c2b9a20231d842c2b781d0a

SHA1
3dcaaff7564e0a6efb152e21b034c46881efe317

SHA256
0d9724dd751510c8c17117cb55d075a2717d64b7d5b67cf0240245a731fbe0d0

SHA512
a674270566844a26d9ee0d5daece453f25049826f32e43d577d4d3b8201f42d2810d7bce6013f4cfe952251079633388a73ac34d98db526b2dd772c615a9cac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4dd2ee332d5c3bff0317e850c65e82a0

SHA1
d2f17c39c4c230612c53f49e741e1c3379f5e542

SHA256
265f6613ad628d246804a255a8c38ec28df97e55494fdaa87731e59410d46cf7

SHA512
719038db229233f8a66be326684b0302ab1e414cdd39ea97cce4a2742547b8d867da8850fe38543c6bba88554bac78a20c91be5183bfa1e1024de9bc02982462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa5a675614fa2e5edcbcad85afc1517c

SHA1
2e1dbe120550401bca485bfbd0b47fe907fb8d37

SHA256
19c5e9f38d492950e48689d2883896ab0fac6951f17eac78fb272f9c7bdbb74b

SHA512
eb999379b981e5f242e44a53bf9727c32173ad5df2c2f2e8a29099fe190a74cb605d01a8b7039e2a80b47bfc240bb7e7aab560d3bf82bca7da71b1ec3e816627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4baeebd09a30ccfe9999e22d37c6900

SHA1
efb58c77e844972d2e0926edb8e216eb78f26ec8

SHA256
3da89fc7db0efae6e3b13aeef67c6116a1c891ed65c244d70d228afa253bd7ee

SHA512
87f3dcc49ed59de47a254d519c75731c8f8a9b94745b550b5ffb01332433fdc0dd8e046c2600d547d60c1bb2ddc18c3a5034047d743d9aea0c8e47928c4e481a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27bb500cea24cbf4393da3ba4d874dfa

SHA1
010bbe0c956e4f1a9d729870b6bed22b2619c821

SHA256
2a746f6375212d26eed08890f8f4cdad8d8818ac81d546ddcda5706a3e335e9d

SHA512
d56f3dc7d34300889941eaa8501661ffc44024452e7ef1fe91b267d63e01d8f20004f98315d30e05d75902b592acf31a5ade37e6472c2acae4e07cd1850f93af

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 895213.crdownload

Filesize
9.8MB

MD5
2a7ec240fa5e25c92b2b78c4f1002ea0

SHA1
bca1465b8bafa5fe58d96d4289356d40c3d44155

SHA256
2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca

SHA512
dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3

Download Submit
memory/1184-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2384-188-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3624-143-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3624-144-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4956-196-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download