phemedrone | hxxp://www[.]mediafire[.]com/file/v04wcs9dlfq5ke0/VanishRaider-main[.]rar/file

Analysis

max time kernel
373s
max time network
384s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file

Score

10^/10

phemedrone credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 5 IoCs

pid	Process
3624	vanish.exe
5132	vanish.exe
2552	vanish.exe
744	vanish.exe
4080	vanish.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File created	C:\Windows\system32\NDF\{299D9C6E-41F4-4DFB-9E4B-6F0DACD7E3A4}-temp-01212025-1132.etl	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{da7a6a23-f6b1-4606-b52d-205aff6a6b25}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{da7a6a23-f6b1-4606-b52d-205aff6a6b25}\snapshot.etl	svchost.exe
File created	C:\Windows\system32\sru\tmp.edb	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{299D9C6E-41F4-4DFB-9E4B-6F0DACD7E3A4}-temp-01212025-1132.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5464	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1224	msedge.exe
1224	msedge.exe
400	sdiagnhost.exe
400	sdiagnhost.exe
4844	identity_helper.exe
4844	identity_helper.exe
2132	svchost.exe
2132	svchost.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
2132	svchost.exe
2132	svchost.exe
2360	msedge.exe
2360	msedge.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe
3624	vanish.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	sdiagnhost.exe
Token: SeRestorePrivilege	2444	7zG.exe
Token: 35	2444	7zG.exe
Token: SeSecurityPrivilege	2444	7zG.exe
Token: SeSecurityPrivilege	2444	7zG.exe
Token: SeDebugPrivilege	3624	vanish.exe
Token: SeDebugPrivilege	5016	taskmgr.exe
Token: SeSystemProfilePrivilege	5016	taskmgr.exe
Token: SeCreateGlobalPrivilege	5016	taskmgr.exe
Token: SeManageVolumePrivilege	2132	svchost.exe
Token: SeDebugPrivilege	744	vanish.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4772	msdt.exe
4772	msdt.exe
4772	msdt.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4772	msdt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 3368	1224	msedge.exe	83
PID 1224 wrote to memory of 3368	1224	msedge.exe	83
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 3076	1224	msedge.exe	84
PID 1224 wrote to memory of 1300	1224	msedge.exe	85
PID 1224 wrote to memory of 1300	1224	msedge.exe	85
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86
PID 1224 wrote to memory of 4864	1224	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb346f46f8,0x7ffb346f4708,0x7ffb346f4718
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:2164
- C:\Windows\system32\msdt.exe
  -modal "524896" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF4D6F.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5292 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,13112695150276131940,4005156552720478889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2376
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:772
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5464
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5520
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:5572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
PID:1220
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VanishRaider-main\" -ad -an -ai#7zMap30919:96:7zEvent13072
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
PID:5132

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault84d48db4h5bc3h4ae7h9362hd61f05ae38ba
1⤵
PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0xfc,0x138,0x7ffb346f46f8,0x7ffb346f4708,0x7ffb346f4718
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14777545846070582992,8802723875250873766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14777545846070582992,8802723875250873766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  PID:1124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /6
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5016

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012111.000\NetworkDiagnostics.debugreport.xml

Filesize
137KB

MD5
f64ac6942044923a3745665e7239a081

SHA1
d33d7f8e12e0fc98a0482d30d8322ed6d1b29e59

SHA256
c6a0b6ff065ab98c017d3e6212d370345dd2180401ec3aad43eba96a7d8887ef

SHA512
ebcee464da65401d92ee7f02488a51b885e9ff4e7699c600c6bfa3c2e688ebcf1e03581aeefabc2b25c1777fbc483840ba1a0584e7c6216657eeade1a1c1ef07

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012111.000\ResultReport.xml

Filesize
37KB

MD5
e05ed6be7a5ae8abe045005aa141ee1b

SHA1
123ed199a15ee735793ed29fb4cc70aeebe25714

SHA256
8a287665e5d9be16310489005e40b4ef126a5964ad453b23175bb1b5075dad18

SHA512
4ccf9b8a7f8a5e26a619f34c05a08458f65838ae5305c73ec02f8645fe52872e1943a5848c7504744861895f23891a6e3e64d557729160de0be3e671654d6a8d

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012111.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d5c317f-34a8-4493-9423-5fef7d875235.tmp

Filesize
11KB

MD5
4db25eab597999cb2ea1487a74034f97

SHA1
ddafe875de984e6577eb5f4f8a3b549477baea40

SHA256
b47b51a37d4b7440fc207e9f2de89079d0257de7858cc32399fcc9560ee99574

SHA512
a5dcb75ad5f6a7404044c6990c15edbea435fb906ed432becbd37bbb0076018474b2af379ab3f099fbef84703f995ac564370adc49346c7d507dce84230fab3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
c8ea67f1d6a5c0f443779001c6a673f0

SHA1
6936dd06c11423e91d92eacfca4d0b9774e8c8a2

SHA256
a160acf7914511d0b06b301745aa3673eced7938855d6dc71dd7278f3a9fc16e

SHA512
2e8c298f9f20a6d18e8481461479b988bb225fa6aac56071326d83d6af3d2581dbd2fe4e7aa6137a9d82b2b73506f7a2fb9acac32997067ddd686bdf8ab22822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite

Filesize
64KB

MD5
2b65c5d1ab0aa3f3f57c635932c12a5d

SHA1
b532c837537438e591d5d6adbf96a5dfe5c40eba

SHA256
c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a

SHA512
7d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
a17f42a81f6fed41a90e4defa0157e4e

SHA1
17fbc538a29dc9711f6341415007f0b4e15adb96

SHA256
a0a293e921beb68ab79e28ffdb4682be4d061f31094f485fc740f478fd9a0460

SHA512
54710d43777aece5a1adf401532d7afba2d79c0f78cc9c95c183b9a3586612e40dc787273e853fbdf5576df642d60f765c5d90c592b8a264cbfebfea727d7ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
269355470fc735fc68e06d54ace65519

SHA1
977b8850842c5a36d631164cb638a934cef9f5e0

SHA256
4777f469fe0d9939097adcb9ddd9df677ecd28c6c6059aefaa82dbda00d01262

SHA512
7f4fba859a625194ee985eeed37f1200892a49419d4495de5d312512b2dcf6880ad3ff3d3eefa8e4b8b421e486954bab7b7bcf3363f422a1e380a1b7bd7e48db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
396B

MD5
90075e56f506c9af9c4e9af2aec16e64

SHA1
5eec1364fc540d6683c571974d1d8b707fb8136a

SHA256
76f2f779a1910e2b0e4d27c3d9264693ef6a19998e9fad30a5f434df46119b28

SHA512
1bffc683f2251c2afeab98ec47099a73f8f35349b1faff4475b6d18647a00dd81d64595dabfc0a01da3678785273aefbbc03d0e000c77ab496dd29efc9cac153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
396B

MD5
bbf790f6332630057a46c1e064a0303b

SHA1
90f3a2eb01e9525139aca84d6d8d568ab8e3e57c

SHA256
75c890f806da2e0ef7c9a1c0d3b1b2fc5e3dffaba799bd97292f1a41facecbc5

SHA512
994658593e363868ac523f79a3f74ec77fac4f9ea0333011eaa5ebb28a8095ae1409b4fc7e1408a69e51ba811ca174795ed74bb8331747f25277e21b7c76b16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28ebdf1ea451d9ffe5523b46ce6cd5bb

SHA1
3b7fabc2ca2b072cffac4aaf52984e2c2bb6ba71

SHA256
1fc21ec7d6fb38f5bb7d057f0886d5cdcee4e29940931e30008fe5066697a474

SHA512
4391e2c001a73021e704b632f6862be5064a6d510e9d6011a4946cea934203e00221f566b91b641b5e0fb73183a89d8a86cca1b682f520fc72442126c2ee83d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5faf9a819099cdb9e89f88b17101a9e

SHA1
7550b8f76e27ff0b26df463873fa548d10a863c6

SHA256
78f4daa7c4f4a274d0acbf0456c7abcd488f525dc9c760222374fd808c73fab9

SHA512
c62111a3ff69c850f7896245aabcbb46ea08f2cc4a77dd91b558d67c2ca214db6a09672970dc2eca7471c1a55681ea969f96ffe30b4ba8e7794a2af3183e443a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1602575d63dd1dcca843e61addc4f50a

SHA1
7b75393b01d191a9c25160d17ca1d99f53873ea1

SHA256
219c3ca7036b1ef54952baa9cfdcbf7b56ab11f7870571e79d09da785dc31819

SHA512
8ca0f7cca0656ab3a564719f5141c5bc3c72863307a4c51bd24afc5dd2f729261e41e0e388077c542d450f3e319e85acbc97ebca4faf5c625f34663809567a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91ce0cf4969a1f588d675ac5dd1ba6c4

SHA1
3ffddcbbe69f1026fcb2937039d05db4f3fbbcd8

SHA256
f46531ebaf1c8d67dc0b1a5987eba24643fceb8c59d81fdf84a73d6ee4176793

SHA512
f63d90d18fe8e00b00dee033b9a929b2ebdab8043908fc0cc6fc15fcbf0d109bb48faa202ba21c3b44125239108937bc9bb8e0e586e28a2233982f2c0c6b597d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa1193d92ef5a96fc78c434cf9c69a6f

SHA1
1af3cdcda2d3fa7aa7fb91f0faf7cd0df038b028

SHA256
2c8303666bef3fdf99f45d340497c0f0f36e9fe2f507ca0fb87c0e09e5c5f693

SHA512
c2b44c8a11dea2eebdcd81f9e312c50d219df851f0b49afa0eecf21eb459f4bf7b16ca2661412ccd15b6b8cd8ae2ee4045e80f2251ea5e887a7b2b84da6a90b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13381932718351167

Filesize
11KB

MD5
ece7a69f7cd30a017e33c82ee9eb3dce

SHA1
631397b1325ff5569656115ed6b61b6ef44ddb05

SHA256
c47df1872a1f7dcd948065e42601851d6dd914bcedc18aa67226b78f713a64f2

SHA512
76bdbb6baabd480f8970a616b657895496d4eb34a3f66d8bf136b2dadf9827d903e33c84cad6d4e22aec239f3452dd6fea4e476970476883eb9bd28f0e76869a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381932718678167

Filesize
933B

MD5
400b3a9ab8da5f3d5d6acd1f44eb4ff7

SHA1
f6404cf76f9b2bdd6e29b51d3d0260f9e17fab1e

SHA256
b221679a4f8581b0d4f04881b12403068abf852674651bdfc1a34925584837cf

SHA512
7154c53a585215e2b7ff000002cd9056dc76f38fb974a4b988e355694f0cea840dafde4a0c6dca5a46797180a088846b1adacd3a0eb8452db604834d55b1c5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
63179bd63894029824ef5ba346a3d5ae

SHA1
3081a7244b140a449ab13ff6dee8f7120484d41a

SHA256
1ef7327244400668ec12bc65759f5e09c747a2b440be0dbc22fd582bb6e047b3

SHA512
695c55cf7615a8c47bec07f09869b07dfcbe4187197862ea16ecfb5000db27a6a0f5e18c785020ee4b7fc9bbb7e1e76c5229ebb7d3c38a27c6d3ec720bc3580d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
227a24a87e335c9950d627f8250ef229

SHA1
c62d65549f26767bbf5df70e546f3d9114dfcdf6

SHA256
e0cfb62bd517667d97377d693e2dba449c466c9241521a29f7e3d0c0d87933da

SHA512
1746911c6cde27a41dbac14cfd4c69283e6f9f91d5a0c3c4cbf098aee7e6d1ecc9c6e3e598006a1fb65f7a4aedb37cee147a32dea16e000b15856351c8118085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
4963e1c9d05f3b84793b2db1e9a577aa

SHA1
75328989dac7bfbdfa1c39d3d75b857a92863988

SHA256
eb99d3fbe4174c04433cfe6d192793a1d0cd3fb4cf900e61b8378e06c5979a64

SHA512
8cfbd155d589e4c11a683fea123edc5b8419ea2770b13eed8872dbb9bff566e6c46e284da0361f7a22845a0b320d2b9a1a7cbf84d30c8ffeb50c1d2ddd928860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
4b17f705f46d18fd97e3754e38b61ed2

SHA1
32eede633a2c7d142163e11d8d311a941e0f33b7

SHA256
8d5d71eaf90ac656102069b6dfa9e8ea6d6dae683242ea5f737265d79f526a3a

SHA512
09a1f0bac77352f18cedc9e9f43b6b42cb57e3ca7083cb054d77f6b19197f9c5ea4928456e15811e066adfaf5d1ccc729f0818ef0685523f69a1208dd7e90c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
00239641831b8170073d69b660762ac3

SHA1
8c520a57ac5115e01de03d48eab081410bf427ba

SHA256
5527c594ca092e5673c4df523a26a66b957b325ca3b55ac8fcb8bc0ebd4b6e83

SHA512
22b5806afd7dae9f397e82cad860ee86f5b3e35dacb298972c485af2ad288e62da032e250b27a2bff85e0d49ba30f22af6471f74448956872acbb0100ab07bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
241KB

MD5
a5fa1154e2801b68bfda7e2dfa9c754f

SHA1
3fddab690e2fd0ca9944793cc20f9b7d60e538b1

SHA256
ac0f6cc5e128cd0dc818cc00af9aefdd647fa44f62e4713e5039e0c799ebb054

SHA512
6f068cac501ece109016b4f1c3109998640b76ba51efb19d9f02efa2b4ec155204a58433a605ce78250da117951fd7f64c00c039aac40ce2a858d13096f283a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
166KB

MD5
60ec574d2b51cf195fb5e033ec58e716

SHA1
ab4b638e244ef0ca76fd3ee8552a0906bc8ee142

SHA256
6129d9f8d69f5e484a47aad7e054f2b3575c9679df7ec98ad629b9edd56aeb52

SHA512
fd3c0dd02b09fa4bc133230809a6b91c75d4ce8a2bec6de74430065e8ca9dc1d46c0b4f17a215acba3e07beef522f0cdfff4c279db6cd00da610ba207afd0d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
34da05028c936c32f1aac0b514bc3aea

SHA1
5a74af2f85de412302c4e433067767ac0f1d12df

SHA256
7da48946d680c77d3d78cc4dd398d777c0d28c0c3b2259fcc6072a300f03cae2

SHA512
080d122da4016ccbf7dfb80d0d42e25b35bd840504c77e53ed0c6f9b38a3069b56f9b380d78f8ba8eeff12f96b4dde89069611256d0f9f6caee9e602f1be81f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
531B

MD5
3c3345d1a607ddb66fb13a7803a8e149

SHA1
4267f36158ad3c86e3b12f7b316164d5f9ec882e

SHA256
68e78c9000bb48b2f666941f9633ca011814d590db601f7e26e63784100c4172

SHA512
9ff75d1056882cc4a6ec2724727960f389a6a6e952c59831cb116a6f34a1cf8e21c9a120d3328abd0028132e847bc0c07b360b75d6edd24f3fefb4927dc7a4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
6ed0e5025c3a9020cfa290af4943ff95

SHA1
a56220e1bad1dbac05e04a361e4fd1a1d8c83cb6

SHA256
7b82a9a460c6da0883ff9cebd71b062d9db7085e671dc2b241a41f67cd384386

SHA512
432c7b021ae53640f0435b9eaafcaacee76048ad64f1a93721688b2f09934c4671d96d95d8cf41dfebffa151e4dd79b0c439c613ee65960106f5d991514f07a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data

Filesize
4KB

MD5
47d51beea86408c240b4251384386ab7

SHA1
5b858e835e716717946d89d787f3a189ae9c426d

SHA256
28b7183dcf3ea002187959d15d308f01749257ac84d5265ebfd90f4745ceaf64

SHA512
e36ca1161a7a225caed4e30c886e95b8a8ec3ba4a73618048a93a6ba4341cac47f97ed103df6e6d33088da5517d1efd42f16386b0b1614dd5208e2d0756f0821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

Filesize
44KB

MD5
7ddfbc874edfe555d726e2adafbaad9b

SHA1
02b699e1e9586f56d14b1713d12fa749c64dfb7a

SHA256
bf8cc347419efc56aadec1b5e2638cbc635be64de1122558cc7e9f398249dccd

SHA512
553317fe8e5864877b3da74f2b341c6fa754a83f5338dc98ce3ecc4d8c006883cbb8163b2ed40335ca954d084dccf82d55d547f970c5516034ea9a629e6a92ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

Filesize
44KB

MD5
dbe264078876b639e5e43755e56abc32

SHA1
46158580ab46a4af2be5526ad0cb717a5929d600

SHA256
ddd32983fd927d0fbc72f523b1348de0464f12f0e469276534effff06337b544

SHA512
0d2830e3fcf14977d075054c655c403e3318514494912e1cf9b304fbdffa335244744a3fdfaac64ef3a9d0eeed74eec310ece238fd399367852210384b672939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
2af42a5e1234ad1a0a171c5bd59f06b7

SHA1
b0a0a84165864738863465297a85d2a33e821284

SHA256
fe9b2cce8ce4823b7fcac59ec3d2c0bf65257c1696b422dc43ef0dfb9599a7aa

SHA512
16d958b1671962a7d66d4107ac35ed5177ff0eda0ee7407b8b152ec105308591e9fe38aee18235279e443849d998ea32fb511bcb028aca9aae8629a6e6328df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
dc9dac130f7affaa9270ca929a463f9f

SHA1
31532e264120104ba50af4732bef8232cfe35020

SHA256
318cab46f3a322869e4ec4f0703e06ca8dbbac95c7dbfa8b9da20bf13951ea2b

SHA512
7cc0d7a72652aedcd7a379512952a3cd8b59b6868c2f245059bf80b8f66f4b0952b702b90938cf1ef59da53baffa4c527137682dd1065650d657cc7b30eb49b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
f7a766b2b53f1fb94067d09611343c42

SHA1
ca2a5fd2494b8a1fb7f66c3ac90d2bfc2e4db668

SHA256
0944da4482df5f7e98bb2c414a5d311ccca67b8da9f3d09ba7bba8f5e24095a0

SHA512
b8627e5a73138dc6a89c4a49c69855d97276f59719aadd3954ea84bc389d6e06bca49d6537077a8f4736e3236a20c3b3d770d12a807a0543601b5720c8a55a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92b6553fc691fe250b52781510c2a2c2

SHA1
f8f39bb942ca590816ee0eb60aba4890726bee0a

SHA256
8ae9f21686d02c532e6258700eb32b468dcca255b9294a73c0f18402583d760b

SHA512
8b048f389f2037416fa75cdf8529a94ddaf424b3127262eab345cb48a4ee1f2eac8fbcbd9d37ea971c0cae957630b4b60f00173620dd18d3a99e1d4cdbf07f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5dba63eb6545914e50e0fa75b9ff7f1

SHA1
ea523f3d13ef977ab490935972e4182322926a50

SHA256
df68529acb2d7fab0c2da17f70d5695c2be0e9ad643b965f5817f8488eac925b

SHA512
f22756a605953bb8b7fafdf01f54618120f1371d94960217acab4f2f2e9f2667b9efa5a00f326351ee03ceefe67197f95e6dcb0094f3642e650e0ee134d789d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26d9b8255a322fc94dcb6933440ec8a6

SHA1
9f19f9588242dcb921f11167c7b04dd9a5303606

SHA256
3b01ea67fab0713964149c51581f574597b892905dd542f6db4897dd8f365c19

SHA512
3ebde294bdf91e292e8fba7026efe47cb9d728dd1ce23271c96e48d871a20df3dcfa71ad27a364405380791d50bfc4726cd52a7bcd023bc95a2e345760a4cc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
175de5ae055f12c418930eb50bbe9844

SHA1
63242b858aac842492daf5b76ecd564dbe93bcf7

SHA256
128c0dfbd3ac3639e48266657cd1395d2f1a7e351456ede1d808b6256da74a50

SHA512
7d9c3b43178ec17eb0924b3681060d56e187c46442bbae7abb97dfb13b94c4355e0d8cc9a549b9e5c4de6817e36c803f0f433d319f562936df685421b926ddbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f3cea76b01e8c3693cb81cd96431d031

SHA1
3ee06f0d992ab759ca67e529050deb4e63c82012

SHA256
8edc935b68c6a554f93b026fd2c253cb73ad53171ddd635bb6e07cbe89d0113c

SHA512
e2b7f4a8d2565cac72c815f4031cfc93ea2a4eb38e8184f1ea5d024a301ea254904cfaeac959505a25ec0d6b41ce3ab96b95a82bcdf580bc6262e990d91242b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85c2079bd4fa447ccc483a8964db1e22

SHA1
8796b726b7cd087822478b9db47bd9b7a13ae483

SHA256
f9da19e884e86b343c460b476c540e32215e91cd5afc8e28497df08c9631632c

SHA512
17047907f66e21a70232d9de6342adb9beeb1895128209f3b9a8a65a87d270b04f4b9c75723bbccd0f0e80f0fb7559f6775dd23a5b9e44126ed5117684919b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
536909dbadcc6a38bbd59557d8515020

SHA1
3322fbe1ed719e0cbd3f5a16e36e74d8b30a6a23

SHA256
b03340d9eb15afb92f8bda468e86a9216e521198828b3b087feef28d2f73247e

SHA512
050dbe959b6c8a683cd31a83cd6e06e7dcefa1877cbe46f75b672ce4e8b97586aee2bd2546ec3bb0cab2a8f431033964010b6a5dfc7d5d961b3097dbf6a6ae00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF4D6F.tmp

Filesize
3KB

MD5
f928829fee9679acc20664a58f702096

SHA1
a4b540a896e4ce93cf9f7693e4cd78581ef7814c

SHA256
3020554c939fa83c877f4b68c4f1d5b0e3725631e1cb74fa40566baf0164849c

SHA512
b2c3067ed58fffe13b45cbf221c459e0805aa9bbf847389184f1cd07adb2cbd95a2e998d8a7e5d88f16a9cf9484805b9266c63c82590e44f7eeb6ec0bd858be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkg4cpfa.kgr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
3b3f12145db09f1c11d268fec04340be

SHA1
faee4a50db8969fdf68b0cdea57cdb03c73321dd

SHA256
a3aa398089c6667952a73b8e5d7b75f48e7000f13dd1e7a297277a26d95ba1ec

SHA512
4ec510fd5034473acfae0b5a34bb91478aed3588b22c89560ac503378210328d93347e4c7d68494a89e87320c00b20d76f1c0f8e8467359a54359358cbaa582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\ipconfig.all.txt

Filesize
2KB

MD5
11b133e5e2f72a627b8d430ed45bf7fc

SHA1
e2666cd679436ffa06fa218c343ad3d3aef96090

SHA256
bf76414d279adfa1fe37393c12a4ba84cc6a8bc15fb6a23dd190e513aa857d6f

SHA512
962aff1fc71c588ab500977d571dfc927e8962a07ee51a2558813a2ac547f15920e7e719e84caf2eede61521affbaa00183b9f45aa37347658ec295f9e061c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\route.print.txt

Filesize
4KB

MD5
6239f3f8f8138d9e0421a39190c13ac0

SHA1
a2d8a55c58520d3bb59d6535e49ae9a36f5529fa

SHA256
ed4e2e1f286d4d83f2fc9bd03090c88db07c2b792a2a15de860c1d82bf735b14

SHA512
c1507de0b9e0a1de1eda426f6a8cb7c672578b7a0bb08132b21db47d53a0def4a7f825017a0dff382431f6009ea7438fc663635cde11060a8163d4486a5ff8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\setup.inf

Filesize
978B

MD5
bb2b32918edc6dd75b6b157cb0c563d0

SHA1
8b11247c9e639d7a6674e3488b5e899e65cd68fd

SHA256
5195fcd1aa163e3ac12d6dd963010320c9218de7f7af334486f40e1dc315ea97

SHA512
a4f3167e99bdc8805afb2b1a1e5bd505ef314ff14575bd2f3b5d2697153b7cb2fee548aaa1ddd4e99e93fcbdf34b41532ed200895650eabb9d37d34dfe5eb7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp\setup.rpt

Filesize
283B

MD5
24b5d43cf8bc20a8f27ba141cbc30bae

SHA1
5d4a3e41c246a51cace0a4803f414a68ac269246

SHA256
c3f23b17d008614d862dcd92692880709fcb3bef42d154eeee8f154db875676a

SHA512
24f7f345b6d9f3bc6d6cf3c792e17a00bd2d269f5567c6cff51949c2589c67b1136444535054a39e2f6d2f8f4541991a5fca1ce557e1c48793d3d81bfec676a4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 385687.crdownload

Filesize
13KB

MD5
8a31ccdfbf354a4955adf2921372f68f

SHA1
85ef395d534efcebffdc96bc670f16ece1944395

SHA256
1661bfa1401d707c12f57529005164587333ba73fec465f9e5bfe13f35b97e6f

SHA512
00c7d6ac9b5ad07eb75d51ac8b2775bd7f0f541773a00066ec7c59f986bdffc01cc767ae65807b7c7b0847e40dedf416228034577f7f338bad23a23a5051f69d

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main.rar

Filesize
61KB

MD5
3d15d9b5d05223d0b812f1f51eb05ecb

SHA1
7f0f19e7128f546193685be6efe39a2ec61d8175

SHA256
c39552926a046eca64dab7cafbc9002ae22d592cba749fa03b6416b4a299431d

SHA512
7c65b4fddf10687c119718d136e45c570c4a5f9bb2ddbb23731813b5975d79a91ec062d7722909ede8ced4ac5a6fdb654ca9f1780546f50400f5de095f088ef1

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe

Filesize
137KB

MD5
ac59764dee7fcebe61b0a9d70f87c1e1

SHA1
4faba8946b946a6eeb121561417ae13e4ec8c606

SHA256
c6487e1da77c82d40628312680ad43343cff5b92462ffeeffed30f46b23625ab

SHA512
b71f1dbc069ee6612b0d6a136d77080f919958e7a6bcdf65260e04ac5efc484042aca0716dda8199970bf7f2d0f4864a4888e3b0dcfd1ef858c615f839c3ac65

Download Submit
C:\Windows\TEMP\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_bbc0b327-72b7-403b-b587-3a5744b3bb3b\result\299D9C6E-41F4-4DFB-9E4B-6F0DACD7E3A4.Diagnose.Admin.0.etl

Filesize
192KB

MD5
7bd77c9dd4e3f2b25fefab54fe415d94

SHA1
e3400422d779d90fae973526e87862ad10c47faa

SHA256
93421676dc508a4ee0c111d0b17b448309b350a41216e2fdbbda8bdbf77343e3

SHA512
e32407137b7fae0d8ede92ff07fb37e7b1633db00cca476e1bfeb8bac78e76ba45e0e84aa4b48a37c9e883779190f481a486054ed67f0e8c66d00a547bc4755b

Download Submit
memory/400-466-0x00007FFB23373000-0x00007FFB23375000-memory.dmp

Filesize
8KB

Download
memory/400-425-0x00007FFB23373000-0x00007FFB23375000-memory.dmp

Filesize
8KB

Download
memory/400-435-0x0000022A96350000-0x0000022A96372000-memory.dmp

Filesize
136KB

Download
memory/400-617-0x00007FFB23370000-0x00007FFB23E31000-memory.dmp

Filesize
10.8MB

Download
memory/400-436-0x00007FFB23370000-0x00007FFB23E31000-memory.dmp

Filesize
10.8MB

Download
memory/400-477-0x00007FFB23370000-0x00007FFB23E31000-memory.dmp

Filesize
10.8MB

Download
memory/2132-744-0x00000280AA8F0000-0x00000280AA8F1000-memory.dmp

Filesize
4KB

Download
memory/2132-1070-0x00000280AAAC0000-0x00000280AAAC1000-memory.dmp

Filesize
4KB

Download
memory/2132-1069-0x00000280AAAB0000-0x00000280AAAB1000-memory.dmp

Filesize
4KB

Download
memory/2132-1065-0x00000280AA8F0000-0x00000280AA8F1000-memory.dmp

Filesize
4KB

Download
memory/2132-1067-0x00000280AAA00000-0x00000280AAA01000-memory.dmp

Filesize
4KB

Download
memory/2132-1068-0x00000280AAA00000-0x00000280AAA01000-memory.dmp

Filesize
4KB

Download
memory/2132-493-0x00000280AA440000-0x00000280AA450000-memory.dmp

Filesize
64KB

Download
memory/2132-749-0x00000280AA840000-0x00000280AA841000-memory.dmp

Filesize
4KB

Download
memory/2132-489-0x00000280AA400000-0x00000280AA410000-memory.dmp

Filesize
64KB

Download
memory/2132-497-0x00000280AA8F0000-0x00000280AA8F1000-memory.dmp

Filesize
4KB

Download
memory/2132-740-0x00000280AAA10000-0x00000280AAA11000-memory.dmp

Filesize
4KB

Download
memory/2132-741-0x00000280AAA00000-0x00000280AAA01000-memory.dmp

Filesize
4KB

Download
memory/2132-743-0x00000280AA900000-0x00000280AA901000-memory.dmp

Filesize
4KB

Download
memory/2132-746-0x00000280AA8F0000-0x00000280AA8F1000-memory.dmp

Filesize
4KB

Download
memory/3624-972-0x000001A7F26E0000-0x000001A7F2889000-memory.dmp

Filesize
1.7MB

Download
memory/3624-780-0x000001A7D78F0000-0x000001A7D7918000-memory.dmp

Filesize
160KB

Download
memory/5016-1041-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1035-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1034-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1033-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1044-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1045-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1043-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1042-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1040-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download
memory/5016-1039-0x000002432AC70000-0x000002432AC71000-memory.dmp

Filesize
4KB

Download