phemedrone | hxxps://www[.]mediafire[.]com/file/v04wcs9dlfq5ke0/VanishRaider-main[.]rar/file

Resubmissions

25-01-2025 21:47

250125-1m6gcssqgm 8

25-01-2025 21:19

250125-z6jw2azrct 10

Analysis

max time kernel
51s
max time network
54s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-01-2025 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file

Score

10^/10

phemedrone credential_access discovery spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 2 IoCs

pid	Process
5788	vanish.exe
3960	vanish.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250125212001.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dd15cb11-c737-4785-9f82-249bb30b6115.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
3192	msedge.exe
3192	msedge.exe
4092	identity_helper.exe
4092	identity_helper.exe
5364	msedge.exe
5364	msedge.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe
5788	vanish.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5572	7zG.exe
Token: 35	5572	7zG.exe
Token: SeSecurityPrivilege	5572	7zG.exe
Token: SeSecurityPrivilege	5572	7zG.exe
Token: SeDebugPrivilege	5788	vanish.exe
Token: SeDebugPrivilege	3960	vanish.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
5572	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6004	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3848	3192	msedge.exe	81
PID 3192 wrote to memory of 3848	3192	msedge.exe	81
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2128	3192	msedge.exe	82
PID 3192 wrote to memory of 2136	3192	msedge.exe	83
PID 3192 wrote to memory of 2136	3192	msedge.exe	83
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84
PID 3192 wrote to memory of 1908	3192	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd71bc46f8,0x7ffd71bc4708,0x7ffd71bc4718
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x114,0x158,0x248,0x254,0x7ff7c7295460,0x7ff7c7295470,0x7ff7c7295480
    3⤵
    PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2614827537412723449,17909047033577283021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:5828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VanishRaider-main\" -ad -an -ai#7zMap5418:96:7zEvent2153
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5572

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vanish.exe.log

Filesize
1KB

MD5
feb0ed258790a49cb67e80c65d8d05b4

SHA1
b0ae12fa6b20f2997367ec72d00062d604555462

SHA256
55f74ed49d79a243cb5b9104950a4ffa18a63b23a9fc1be99f0175b0e3beec07

SHA512
e49540da4c4837bae5f102c6e7be413ab26aea1a3315e581543040485cc5082e9a1891b6c9f9f76ae6a67a68920270c65b811c50eb326e33bb918c6ea49116b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3cba0cf8-b34b-4b70-81f0-b5ddbee49b3d.tmp

Filesize
8KB

MD5
d0e837947adbd97593156bf5a948d72c

SHA1
e1a5cd238445cb11984bc89c7f3d349a5ae0277d

SHA256
ab917c42f9ec6294bc0fe50f52beddba24a2bba02c97022b006a6cc98fa6c039

SHA512
754f3ce864f0a473253c1c39756acab99d9c62925b0afa975997bb491a839ace564560324b237fd79af6892e9ecb437d5a2eb0b34d98bb3514b4d9119c5d25e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ced4aad7256ce749edd2ba28023150e4

SHA1
c825c10448eb3b94e532b3023ae199c925ab1602

SHA256
c4458e5a2c81ec9941dae0361a0fe791dd6b9cb26dc824259ab33f450d31bafa

SHA512
30d4cab4d89a467b9a0c9395e0d30095619800682586ee3616ae1c0f146b2beacf264245952bc7e9d5bb0fc14290cdb2dd6a00f4b9b8e28aa338fd98a9a365e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17ce65d3b0632bb31c4021f255a373da

SHA1
a3e2a27a37e5c7aeeeb5d0d9d16ac8fa042d75da

SHA256
e7b5e89ba9616d4bac0ac851d64a5b8ea5952c9809f186fab5ce6a6606bce10a

SHA512
1915d9d337fef7073916a9a4853dc2cb239427386ce596afff8ab75d7e4c8b80f5132c05ebd3143176974dbeb0ded17313797274bc5868310c2d782aac5e965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63af7b2048710d6f167f35d94632a257

SHA1
812c8f140a72114add2f38cab52fd149ad8bdcfb

SHA256
15aafcc88226b6178e02a93858555ca48fb205ae317815ce31aa547555329046

SHA512
0519b7dcbce66aecefbd2aaea6120c0da213d8bb3e00a7599bf2e390bee3f643baf952cc553766f8c2779fe9fa303570a56a8c846c11e2fcf9c2075c1e41ccc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\429650db-9d7d-402f-ad14-bcb1861231c2.tmp

Filesize
7KB

MD5
d388acd116d95803557a202350f8bc71

SHA1
3fb26a0acd2f95053fc8d170e3dbef57853c787a

SHA256
332f0ae183e4a0711498c2d695539e82a04ebbebc3a94e4943276b1fc23404eb

SHA512
a3fef63fd50a126012f8b40e05ee29afa088c0ae6c4588202f5ac0b6e5eb38f506d43fe97fb9ee94bbf4834fe550950985ebf03d1f0dac85a21db821766d1666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
21f6aed30cffb1efce1d8559e3d37514

SHA1
e005698d1c0de632248b5524bc4d1e9addc4ce24

SHA256
cc595390e7d1076cda5690f891a18b2e546016d2baca8503df744d110ca36cec

SHA512
6404ec449cda72ed60c8d7c11af201d8c11ab58f772ff6c3eb1869fcf3c922e084f75c92ba18b0478c3b01041436fca0c57152ba33a3fa5a53a8641474fd4c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
8e9acd860d9877b0a378a18a5ac3b900

SHA1
77ef2f052f0acd608bc6e4e96609aef0979b2599

SHA256
c0d0e4252364c7c80b61dd3a2b262d6db3c784d778ece2c49bdf815d908f1caa

SHA512
016e3445fa444ffef75b4b7174b06341bc65d3886fb0defdc63a221644573526a27c1404590d95956e366dcb4f3a222992ee57fc3036a53c849c2844ea2d3cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite

Filesize
64KB

MD5
2b65c5d1ab0aa3f3f57c635932c12a5d

SHA1
b532c837537438e591d5d6adbf96a5dfe5c40eba

SHA256
c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a

SHA512
7d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
279B

MD5
6fb75bb1def9dcc9fdbca4ea070b89bb

SHA1
d342c5b632990761c40766dd6bfb01612fb7af0b

SHA256
b8e0602a4dccd6d452d34e31513b377fcc0e8ceb4db9ffb276ec5280b546396c

SHA512
204da10689ac5878f489488277e293c3aad07cad5dba72299336afef7543639e31ae719aabe78a3b2951ae0a37912130d0e622b42d3256ab99b21876bb3e61c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
103d7c51198088041705fb9cda471ec6

SHA1
2758355517d2fa88ee294936075b1ab56ef88aa8

SHA256
901bf9fcc09d97dbe4ca9a372c1ea1cc161a6d62ad49b47236a9477488d199c3

SHA512
00eea017c9957788b2a5de76a212ca66aefb98b831fe5e1c9e4269b87a977799e6bf3041d0a07fd42798da16281189705f1769d1b7c496ab8917cf0a75ea66e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
64298402aefa7d4e1081555a943acd9f

SHA1
2fec96dcaddc2740a0e806c9069510beccebdc54

SHA256
5cf25f38b468a61832a7ecd992043ea87b60b548503d5539b565ddef9a6e29b0

SHA512
3c89649ae38018909e8f757973f70e12274fd152e2ccc74077814b77a565605b80f8930354ab1a2d8184935f0454e6fbfdc8059c8cfa842b305f00775c323b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
128KB

MD5
4199da0cb806166509917df6057f2d80

SHA1
3a031efc8290747c96eb4b228a7047f0faa59fb6

SHA256
2a368a675ea8472d44082177cd1b8ed20ae77bbc86190321052422d7185c535a

SHA512
d6e1e1d9631e09ee090fd24b7020f509bd05902c6dfe4bfb41a4424576b66a5e12488bcc85956c5a1c190cbea4041cd5b52156e70261af69df184bab49051e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d11f6b6b70da9f47da0ced298cde6cac

SHA1
9c7b8f8bd69955538fa7066fa3ecc7d9187d02ef

SHA256
49b0e4c5cac67833f8c2b07f2f1c3abc526de1cbbf4721906937be10a77f3276

SHA512
323935cf3a5226e1fdc4f0793d96bbc0a16b70b90e5415ef54c21625824a540f46a206a2c3f0268e829a2a8eb3ed9743be53b5dd8103d96226c5835d821e89e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dcfd1c35865f40d4eaaad381fbd438fc

SHA1
7c7c93e1f541920ca5a99e2cc5bb3bf4a26ed1c5

SHA256
6fa69413e6df4a2a656f0214ceb27d876641732f5b4490095c4faf35dfe709e2

SHA512
247657504744501ea8a5f0e1ce4588762881212896405be2e14d49aa97b9757b013f6427af88cd7b00e490dadf625778a8d52086422113818a7252006f244c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8ade2f3a82060e6d5b1e97b275213d86

SHA1
a13c13d850addf7c1c1d58c583255f77b40b7834

SHA256
fc73beb5ec396531d7267cd4980e720590ae4c7c34b6bc63bcceef59730d324d

SHA512
51d989a44462ffea680e4bd9b20c46705793236712d11f0400e12caaac3512d662a41b4b49e7e309c8e752dc7738eda080451b74736c6428541196dd7bb8ca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b8d5a6329bbc5edf31844f6bfa4ae972

SHA1
1014d91ea7a8867459e7014a725794728d75793d

SHA256
2d90e12869f60c869911a3030ea58211b6b0da7c53d396769f4b3dea0c406309

SHA512
d6b4a08d7188e48b3ec2dbaa78f1ccc23334f43266602c677ba5c52d54554ad02e5ffc32e852de47291e3f1291dfc34db62d4a1eb5f631aad0a0340d30e5f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13382313598552481

Filesize
10KB

MD5
648dd25232ccc9639241d5bdb6da755a

SHA1
ad4c3418b8cca42b9b7fb3a4357dc83a6284ee26

SHA256
b0bed4b02d39f5f9eb97c719a88a7c56888631921b75ac1883feb33f4db95ab8

SHA512
0c937eb90574fa7e6f01a9f12b2ce89484b5a4ed38f8432b995bc26d64903b36eb2b14bc805c7ce7990c7bc5483ac7588eefbee56d9bf824bacd34ab19f6b2a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
68d9b51b8a605374aeb031df202a4072

SHA1
36fc3963510977df30ccb1ab86f783ea13f7892f

SHA256
ce5421af5271700fa17fba51550242150f62094a015ae0efc62f1e99fa5946be

SHA512
ebe0eda943853190861298187609f380c33be90fc85b0418ace8fec1683bca2ef97db36ed58f8e17b80365418397e0b9e93728fec8b6e24aa52f42f985457ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
9420495953b9fe8ba6e8c4116b872698

SHA1
ca0089c55f1da56e96266661508fb7762ed7e8d0

SHA256
eed94f94c6aa9848a82eff4e215108c58c5ac0bbe223e6a52b2bbd51377ed0b2

SHA512
28c9ec9a9dc685be04e444ce3f524e84321e9926c4a480c78ff4b6812e6ff9de52b63289837ae58e003643076c65b59ea2ed01f9d02a841e7bf09b003aadfa6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
74c7b709d196e49c46cb0617c50be9d0

SHA1
07dcf16b9ec46b5b16263f39560a43d94e7f073b

SHA256
a11b048db8c54c163873223b495c8a41ae6fdca702ab45f9827acac236344e1d

SHA512
31c3f05602481633e26f8cf976383a837a1faf2556c33119da9567bbfc7101fea23c53cc5ea6ce48c81400b118c427f4fef4209740ab3e554426b3c317fc8651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e3b9.TMP

Filesize
538B

MD5
a71c70546d0c02cb5a6103259fc4ebad

SHA1
c402dbe28660a9217586b98b48b7e10568bcb9ef

SHA256
eb37c791e182078ce9ed04562f4fb80f3784cc7af1671676b3537d8fc5f7cf70

SHA512
c41e3624f4754bd8f8c0bf3349792fd1aec031ec4a81b724c6510293b28a2d86633872faa3a18b9c61a889a0ecd82c0f359eeaaaa27d614efdbd1c885c3428ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7e5208968186f5cc683a1860a2c85c55

SHA1
6ea147183e0e8a37f1a46319dc11d1805f31e53e

SHA256
bfae4916e992c4aa9842b8e37f901f50c1bfc9b69fd63e5cff42c2db2407812f

SHA512
96812195c904d6e69bfa2072704b383db08439f6f45c36fcf4715b38c401df8a3fbabebecb025d1dafadfb7b1e7394e6e0ec58619aa92b68008900e0fdf5aad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
8a270b64a298c30a5c2636b50a9d3319

SHA1
f4701fcabe744907b6d4172053912ec30912550c

SHA256
b6595af17987deaa5ff4ced479197d0087c24213188a32683f063b113f71ff16

SHA512
e029a3a75ca0b9a82a8a4ba5dd430ba444a8b8e5533c00b33fd1b3701b753565df41bda31e7d6cd9507a1e0caf568a8b74cd19619f091f2e161b8f98d1df1ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
4719103989112f11e7030fbcf78319b0

SHA1
356cf1f9ab01a5238f0b0cf91a3f1f8be4199c61

SHA256
ac16d8d2225dd9e946c7c68f13b818230dcd3ceedb0aa84b70175e6953b03dd6

SHA512
b2389e4b0c2c5be6f6159c318ed2e3c4ce4522053d22297a1f74583f06b87a3b167da6a830b1f1335087e36634965e382a8df3f1c34e409f8eed8d4b745c3949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
1.8MB

MD5
747e282f06aa60d054d490d6857bdecb

SHA1
95e6285ce4611156778a771e9d4b6d69677f8d8a

SHA256
3c7d39fb273a66f6c28b85e5b91f5bed783e57a1b202e6e762283865b43136ae

SHA512
089a29c782d8cb4f3b53ab39e49b7affb63d4ab7f4fb346f2dd370efd74c8f051f78f7d8e01941fc277de0817d88d9c680f8c0b5659b06510abc4b8fb31f5e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
5KB

MD5
6bd58199b982da57b1c58713268c2d96

SHA1
ab21cbce80aa9549b511a1e8669f53808e2c8bbd

SHA256
23b14213b9cb204534e4aaca50921fd86e0ddc37b4f38cc7889bfd0a81f821a5

SHA512
d967985652728c1b473cc62d35ea934dcd81175057e7af4480368f0dc291c6ac93b70552c386ca4f9b4494b73c0922a912b515811c53f12f982cb8c362f22844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
279B

MD5
95c3a8cdddfa50ae4578b06361485345

SHA1
95d998d5d1c898deee8f2f99f93c4e4bb618d997

SHA256
c0a0ad1be9514e35ce180d6dfb0dc533338061f879a5c5bcf40e2cd73f3c4ec9

SHA512
35c15a9ff4da07c0f2ad51d52c844174a6ce9d372aa12ee4a984ccee3b6bbed5e15056f7eb93454452da1c5d1641667e2052e52cbf62a45350b6922f313bf60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
497B

MD5
fecd5e18e302b86bf4def3bf8a5b535b

SHA1
1af39810da7b2b923231f3f96142ce74a09c4ff6

SHA256
4ea6640f66d6508f8dfa4888bf2fc9be46f045528e7e55e01a436b49f46a3e66

SHA512
7ea7e2ed80aea0ee136a3e1f9903b63409488d32f483157fe2a684c4f872586a6f0a6e66bc7677b1e2ee579636d76bc13187353b9a9d80d267c3ef28891b52bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
149e6d97ccc93a26696bebf9c8ae8dc2

SHA1
dac32cd67f222abd919a88cd8e2a686f26d4bc27

SHA256
f2f23a77195990206a44d644a3fd56ea4d55fa29280852aa4356efe8adcfce37

SHA512
21db88befd9fe298fb7f5967a06b2d74c29193d2af1721e7f6e52b6f31f71994972502856dcaf1c1071f3a351e7ca43fa329ad62279cf036b569daaa2c321df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

Filesize
44KB

MD5
3202a370b7c503a56e298170c63e662b

SHA1
8ed644d9b08160d6a94f9d3c2ba2db1946ce4678

SHA256
ec949c448e66ae1fd3d276c3236aa85f3635b86d5590a89315ca9d1d08b01cda

SHA512
c3f7932ec88e9a75f462f011d533616b23af35da2aa6b29e3883ded661db39863dd80e7f07aa8eeea8f90ab6dd5b2106baf6d3ef2d949d1640f5fa1f46458614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data

Filesize
4KB

MD5
47d51beea86408c240b4251384386ab7

SHA1
5b858e835e716717946d89d787f3a189ae9c426d

SHA256
28b7183dcf3ea002187959d15d308f01749257ac84d5265ebfd90f4745ceaf64

SHA512
e36ca1161a7a225caed4e30c886e95b8a8ec3ba4a73618048a93a6ba4341cac47f97ed103df6e6d33088da5517d1efd42f16386b0b1614dd5208e2d0756f0821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

Filesize
44KB

MD5
234419fbb9e7985260471f606ee5c525

SHA1
5b4604ade004fc2ec063cd6aef4c783a92e2f329

SHA256
eac56335458159497868419a9250694c8802a90c333f960d55a5f1dab128196c

SHA512
cd0458fea0217e8c3c528c36249ba0f520adcf889b86ed73e863653d7e07af4ec409d46256a2bdbbe694ca8ae5376d89daf747e580f5cc6f3de3e615f42bb1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
243eec7e2a9c61453aa16630a9279f31

SHA1
0f1f6aea7f438208cee7a54ee73ef816cd7ab7a0

SHA256
3785a20eccab5c0ee5de08685919edc76df7d7d3ce13220e421a3aa209f00fff

SHA512
ee5dd1f4f6c0ac712d1a7f23a7d3a9d80b75932cae16e97d81eed8b9ff031b1d61718b1d1bf7f25caff8e158e7438e1b5b3c8a2eb134aaaaeb9cc03a12e24f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
fc4dee8ddd33d947ef54758323733315

SHA1
cb497daab3a76bd72be4d6db43e36cdff5208421

SHA256
2452e498e0da2fbf0120d1e7497a6288d3015537dadd66b756c5102e7c3cde2d

SHA512
21d0ff0fa48c6d8c546c49c4eff9c4663457b28966e0bb1909a7b77e45b149febe0f1ebe5a4eac624b4f076ac422037a98bed4b3e4c2cf8743dc59c8a612f801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
e3586819c35ab18aecad672816893e27

SHA1
ad4a3b7ad262338a4d1e9304ec954f598811b878

SHA256
72f98fdf8cb6cf4bc341d68b97b8b0c7a78ab524de1f15dd88e01a1c1c79419e

SHA512
6878b096d64a2ac7fcb163220712d09cdcca98f5b801f98936cf91c140340c3ba21b6305af1c862d93ced38a4cf877866893ea904fbbc0243abcfc9f2ae3f462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05a3dd03ec4805e80ce0debee90d476a

SHA1
16f32bb8cbb4c0bd1f9c837973bcadfee26febcb

SHA256
c835f14c4d47a1255b71411e8aa90f862377cf5403d4385df266cafc69c8c08e

SHA512
0b44be23d6ccb7ddd7214e12f04977772b3b07310c99e7c627eabd4d3c2a21bd92fd30e37e471e5269f2f50473ec2ad6b623d797f24bde58c8a6c2def627cd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
146df875aba27820eaf6bb345e0d33a4

SHA1
15a33e8a795f60c1d4c241d861652445f31a1e54

SHA256
cfc2c99a375a858a22796d26546bd1cd8b7abb713c9aa9c44d5d6793494b5bc4

SHA512
3f2c4d1e1a57ab95dc3ddc37b8eff83b2d26518bd1e60ee53e8fd1237cae2f23e7f2b737d4d5f58aee2ef2f8402bfae53703bffb011a4cbc030de88d14e0fa22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
94e4f40414512780230b37b6b29e13a3

SHA1
f54c1c697fd1d5e5c7d9f613bffa47e8170e7351

SHA256
2d6073a7215509059dbdc2ac6ff204302913c95263a60e2403146afd18832a43

SHA512
dedce13a80856b39ecd545a896d05f606fe9ee21473f8745febf4b18a4479f05aa5dc057de99f3320d065f8a702e1a1f8e5ec5b505a1262ca7314636a25513fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5e1c4cf746c6694fec11364c0d58558b

SHA1
b6c0e7db0970a42803cfc86b9d12a8f36b90fd63

SHA256
ef4e1553289db727c56cc861b73abce5a41c20c050ed2cb84e6e6664bd65c625

SHA512
427bbc5009a0ab7b5833d29c869ff0465d226acd2614b41ad2c9717c132baa408b354d06d917ccdc18834784994ad7bc327cda2f28b175846a1fe97ea3fbd384

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main.rar

Filesize
61KB

MD5
3d15d9b5d05223d0b812f1f51eb05ecb

SHA1
7f0f19e7128f546193685be6efe39a2ec61d8175

SHA256
c39552926a046eca64dab7cafbc9002ae22d592cba749fa03b6416b4a299431d

SHA512
7c65b4fddf10687c119718d136e45c570c4a5f9bb2ddbb23731813b5975d79a91ec062d7722909ede8ced4ac5a6fdb654ca9f1780546f50400f5de095f088ef1

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main\VanishRaider-main\vanish.exe

Filesize
137KB

MD5
ac59764dee7fcebe61b0a9d70f87c1e1

SHA1
4faba8946b946a6eeb121561417ae13e4ec8c606

SHA256
c6487e1da77c82d40628312680ad43343cff5b92462ffeeffed30f46b23625ab

SHA512
b71f1dbc069ee6612b0d6a136d77080f919958e7a6bcdf65260e04ac5efc484042aca0716dda8199970bf7f2d0f4864a4888e3b0dcfd1ef858c615f839c3ac65

Download Submit
memory/5788-333-0x0000014365E80000-0x0000014365EA8000-memory.dmp

Filesize
160KB

Download