phemedrone | hxxps://www[.]mediafire[.]com/file/v04wcs9dlfq5ke0/VanishRaider-main[.]rar/file

Analysis

max time kernel
275s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file

Score

10^/10

phemedrone credential_access discovery spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 1 IoCs

pid	Process
912	vanish.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 200000001a00eebbfe23000010009bee837d4422704eb1f55393042af1e400000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "6"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 6c003100000000002e5acc16100056414e4953487e310000540009000400efbe445a9216445a97162e0000007c3b020000000c000000000000000000000000000000a0062200560061006e006900730068005200610069006400650072002d006d00610069006e00000018000000	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	msedge.exe
3296	msedge.exe
3216	msedge.exe
3216	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
224	msedge.exe
224	msedge.exe
4512	msedge.exe
4512	msedge.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe
912	vanish.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4512	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2984	7zG.exe
Token: 35	2984	7zG.exe
Token: SeSecurityPrivilege	2984	7zG.exe
Token: SeSecurityPrivilege	2984	7zG.exe
Token: SeDebugPrivilege	912	vanish.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
2984	7zG.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 916	3216	msedge.exe	84
PID 3216 wrote to memory of 916	3216	msedge.exe	84
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 1688	3216	msedge.exe	86
PID 3216 wrote to memory of 3296	3216	msedge.exe	87
PID 3216 wrote to memory of 3296	3216	msedge.exe	87
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88
PID 3216 wrote to memory of 4728	3216	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9491c46f8,0x7ff9491c4708,0x7ff9491c4718
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10299391499517498310,15862776723328591138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VanishRaider-main\" -spe -an -ai#7zMap13593:96:7zEvent25633
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VanishRaider-main\tokens.txt
1⤵
PID:4464

C:\Users\Admin\Downloads\VanishRaider-main\vanish.exe
"C:\Users\Admin\Downloads\VanishRaider-main\vanish.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d071abd21ba95452bd70e7274b2139b6

SHA1
75ea5ccc5ad04b9634e377b286fc99c448f07891

SHA256
973e07a348e7b2dba242b74f59a5d3d690842f19be76dd15a5e693992f08f142

SHA512
af42a390439b837dfffa305f21fb573b6f2028bbf767d7dcf239900fbcbb8d4e7015d37a8c52bb513bad60f6f5039d4e699acf8b5135b24e8d0e26a1d96d9b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
102f253d13f1fcbd58ff7ea07502d0f9

SHA1
17fa9662f4778117d415f7821ad2f9eb549832c1

SHA256
6d75e75b1174af3c7b730d9d4a397e5c1b53c6935f7c4ea675da4e42a9f6559d

SHA512
5401a9bd5aab0b6add34e79e644916c3869198b3310c47aa8a845ab2d4d566d973c2a56e888c675c96bd04d2e1cbc756189f9122d6ce4b88cdbcbe1186ca7eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ccb095cd5634ee4d3d3a1cdbc2795e03

SHA1
d69402a9ddf8b121ab4421edf4e094095d59d19d

SHA256
e7ced369215bfc2654fa6a11b074da3ccddfb1c71e693bf69887b247e9b87cce

SHA512
0fb4408a90757cb5e2709a70b4a98b3e5630fdade051ea89e2a9f7c2df955f00e6f59077b82d6df745d9bd3292b477658bb4aa4a72dac8d146a5229c6df7a022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
767b341ef05d652779a73f30f0d96169

SHA1
0c1cf8889dabcca29241caa4a7b390fe7ec85ec6

SHA256
63b5f727d518cde8aab95dd15cc78e1dccef526baf395413813bca0407a62c7e

SHA512
80a1d27e92fc3f51b59d7ec63cc47384563fc13e7877b80d857c2fd71d4bed69781f86eed0d570070915da28b961a515ca3cda09aaf6b75215769b0b13c3333b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
21c706eeb1394bec0a70464ac0484c06

SHA1
1eb8f30dff62ef71d16d7b076cc1453013ace385

SHA256
5acf9d6f684d5af51ab1eafed18f155e61d1e36790ebc8d2c728e1b004f9bf03

SHA512
d1b592aef244c634f478d70a90868ef078b96a101b60044f9bec341897cd58209f9423da0f6ce3e1d9865fa1b3f6896dd23dcadc539a22016fff675a2bd720c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
437f12d8c064bb1ceb3f289ac09aace6

SHA1
fd7e43e538914b54002169fbd6bb9e407c5c5a44

SHA256
62678d07d4fbc261b1bc39d3fb3aad54d1fd0c8ee90ab6487729292136fa7f11

SHA512
30963dbcd06a8dca762be0cedcbb36cf07ef35e8dc37f987865cba64c8efdecd5e73a3113927b954b0e2bc07576ee7d6eea64713b17deab64b381375ac2feefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
05f88c659d23315744b8a5798c59b44e

SHA1
eb24af8d8b16fba581eb1a9e320efbd6d5c4db90

SHA256
4f5aa603b04d52450a48fdfa64b7a74b7801c50ce1a96e0480efde59d6d1d2c3

SHA512
28375d9f158a42e87e91ba6e4a5903224a8556cde150d94087ff27fdae9e5dbe1a31f3e73fdd01297254fdec559ad199cd34513c0389c927e880538f87dd17d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f63aa8ed31b3319e4bff1ad64717cddc

SHA1
c84338f5366eae8a5b86bee9ecbca6677fba5ce4

SHA256
807d4d07192ee9e8ede6675ff249ade94aa5f39af5f8e520660037a4b8338e22

SHA512
532ef65bc864468fb50e1721d0d82a0aecacede96641912386b8d006e2a246fd208f1ce9eebccafb072b35dc4c173f9ec787835e7a8d2d886b36b33b4702f516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
00ce8611d6c264ffd61b8d7db146a7d0

SHA1
e78fc9bd54541359b9645b52274569773952c44e

SHA256
2452d5a6fd53be3ff5f59de9dbefe5cbaa623ca8da08d862bd8712cd2bd90c3c

SHA512
406f5f544197353a429a73d9b845d991432571acc1352adfebc7aec8cbbf5b41d9a4d4adf49a12bdb18152b52da9a2ed79f2fde5fd004ed6d2f095323e52058f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
96dd2c5bcda9ddcedf5960398a3ed8f4

SHA1
0c58a36f54b813d95e3c3ca25f5922826a073ecd

SHA256
5bafda3735b47bb391e219c328f38b2216c2242a4215f19ba7cbfd9df57e134b

SHA512
f079a258947dad507304c016d1be9dcf1aae2bcf6633cd3635182265aa0655526d879a969e6d169daab719a55d29cbd5d84fdb562375e465f0ebf0b8480468e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc23b8d5f9b38e0b136985171f9b4dc4

SHA1
9d01aa1e9490605404b5c0111cb332b360325d30

SHA256
0d4fa2a79027a95e8fdbd3d668fadcfffc42c279ae0cf93acd4420559d5d5823

SHA512
79dd9e7911413c487e4a1c857db94d94d40e877f873ad55b736593fc9ae99203faa2ca44cef4410e3965bfe3e4b32595d87d76ddb743f27f14869fc5df508345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf7079999ae6d3e5b50be8c1c7c279fd

SHA1
63ee18eaf1d9b9d687122a8cdf43709940ddfe03

SHA256
4d538eb0da7b2a6ea15a3f7d6cfe5a47b78f6519b2fc9bfcb7eaab874693f545

SHA512
78efed52ea7309ec1bd81c4a10a9ef65337a28efc1fce9094cde32f30b768348fde2fcefba1c36c8a86e28765412cf400fdffeb975be090536e1a5372d519c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d244.TMP

Filesize
705B

MD5
7f811940013b78d56a9d9a265943293d

SHA1
bcfde0aca7c5ac3abdb44d75dd1bb78ba96c46ae

SHA256
7577525fc69b8ea69da958a2e7a75441cfe7f2c235590063169f70c4184a35e8

SHA512
5ba3c87b06ad5a9de8701008481ae65d4eda9b86624128aa2152adbc2ea65802f180f7ab7ee44cefd9916148b329d6c140a855fb50b0ce0a9facb125e91b7c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
db9b35dfe9695bbe021342d07dfb8372

SHA1
c4c09ddee6e59148aa180cd260764fed22bb074c

SHA256
2641b2a93d59e0230a6b4517f1be85d49e766e10a4ad3d65a1fbb943ab679bc2

SHA512
6b7486992e373deaba5006eaac93861b239d52f3ddd7b534ff41a8ad709a1588fe2641a1c27d96a5d435c947fa275a844e449bd4976b87d552ad81b1cfde499d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data

Filesize
4KB

MD5
47d51beea86408c240b4251384386ab7

SHA1
5b858e835e716717946d89d787f3a189ae9c426d

SHA256
28b7183dcf3ea002187959d15d308f01749257ac84d5265ebfd90f4745ceaf64

SHA512
e36ca1161a7a225caed4e30c886e95b8a8ec3ba4a73618048a93a6ba4341cac47f97ed103df6e6d33088da5517d1efd42f16386b0b1614dd5208e2d0756f0821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
10e8e8f73f97b0bf2a933882564aeb2e

SHA1
cb971110b229e22e0cdd142ae5635f459a7ade24

SHA256
c724b7ac0fa4390b923f69ab10fae8e0f2cd971d0189dc0b53b92247ed8ad398

SHA512
23b4bb997487dc2566f85831d4065067083552344879f00bcae164549aa08b011f8270fb1ba93c4afb332343bca7d2c9f66d366da04b89a36a3453a628a594ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
22675526e1a59aeade076895b4f40cda

SHA1
17c7164b6ffa9efe5dc21d406c9b7c2ba676ab64

SHA256
9c41193181ef6ec6886c1c6578a91726c9d461d9c311f6e0be751b35ab264d9c

SHA512
3f702da97c58234ae8bcc9351434383b9110afed2cf9b73f9adc9a1af02d3ebbf085153479e59b65dc7c45d77a57a5dca9e1a522734003dd0323a2a1fce5f9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
c73f5e6d984d0a707b126817a2f34080

SHA1
61371142bf3e0403fcd900b7e53268e938ad5dc8

SHA256
c86ce968fbbcf191f35617766d1136851085cdbeffb0f4c008280e0f970031f3

SHA512
5aeb2a560878856d48a56bda42be585d0aae785c7a4652893e28f1479e8ef2ffa82c543a39eac86f03f1fa20fb157ae5d189df97e6aaaa22edef06ba084cdb3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3eeca3ccc34b3a3d4102ce548e0a9a3a

SHA1
349a8e9d45033c71ab1b6b2c383f986c75a702fd

SHA256
5adb76ab98ffdb9aeb31930cb3f46ace380563fd27b61b494b0046f36368eb1f

SHA512
412e93f320dbb398fad982e528fa82f711cbd76162d377cb37ae562a28097da3db1125e5099c3b6e01a0944e389689f2562a7064f03b46d3c884839bee4da651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
778a6ff3b9ea349800d8f0df337e9f14

SHA1
cb6532026e325520ae935f7fac6688211cf44d6b

SHA256
0e5d981c983ff98e0989d44d210e23449a3a95fb8eee83b038d83ec72576c0db

SHA512
97227369f7c804782a39a1dd80e6efa8d2bf489746215d94bad7841eb3f82fa9dc40649f657056516c84817519708f1d619f90e461f3c0bd091672fb4b35117b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9506fdc8e30b1005900279282f926129

SHA1
84df03c3ae0ce6236d55ca43bf3aea209ebf98cc

SHA256
e77a2fd09c35ddd9ac74b444b97a6d45b3ae2017ad042bdbc31e4ced18409a60

SHA512
239f4d238fb741ed35fdad18df17232ec40e033431c4b222f1edb12b558f1036b23622e4ba06778b3facadb33ae1217144cbcc33e01fe7af1a0e1f69ffae9713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
53a86878eb5ef2d5418e8e4cd239e7e1

SHA1
711d94dbc24d7fd8875216fce3693096bf9184cf

SHA256
cce3d5dba4a2c07bb611485169a31979f44ee95ac0d3cf78d03172276f3d8e8a

SHA512
876604111a32ddecbc2679e0101f0bb90400fc497ff2f83b203a1665616afb64abe5cd792d9b284e231415db782ca1caa197c7de43cdb9ab93be3427445947ed

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main.rar

Filesize
61KB

MD5
3d15d9b5d05223d0b812f1f51eb05ecb

SHA1
7f0f19e7128f546193685be6efe39a2ec61d8175

SHA256
c39552926a046eca64dab7cafbc9002ae22d592cba749fa03b6416b4a299431d

SHA512
7c65b4fddf10687c119718d136e45c570c4a5f9bb2ddbb23731813b5975d79a91ec062d7722909ede8ced4ac5a6fdb654ca9f1780546f50400f5de095f088ef1

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main\vanish.exe

Filesize
137KB

MD5
ac59764dee7fcebe61b0a9d70f87c1e1

SHA1
4faba8946b946a6eeb121561417ae13e4ec8c606

SHA256
c6487e1da77c82d40628312680ad43343cff5b92462ffeeffed30f46b23625ab

SHA512
b71f1dbc069ee6612b0d6a136d77080f919958e7a6bcdf65260e04ac5efc484042aca0716dda8199970bf7f2d0f4864a4888e3b0dcfd1ef858c615f839c3ac65

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main\vanish.ico

Filesize
2.0MB

MD5
f501f94d978e89d58e71fb706c08fd33

SHA1
e40c4e8794aae9de6194bdfda954e8615a485d98

SHA256
20fa69e2959d206fbf11aae094142ffed6a0c90851e3542c64e863700b3e7a9c

SHA512
bfce01460d6821dfd491ce68621e1ee7f4ffce629e8a732153a72238bdd0808f3682a6f07b28463a10783d5b307cbc3b6df81ba17e09563e646cdfaf55deabbd

Download Submit
memory/912-414-0x0000022F859C0000-0x0000022F859E8000-memory.dmp

Filesize
160KB

Download