phemedrone | hxxp://www[.]mediafire[.]com/file/v04wcs9dlfq5ke0/VanishRaider-main[.]rar/file

Analysis

max time kernel
122s
max time network
124s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-02-2025 13:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file

Score

10^/10

phemedrone discovery stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7213845603:AAFFyxsyId9av6CCDVB1BCAM5hKLby41Dr8/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832362780963702"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-849517464-2021344836-54366720-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4088	chrome.exe
4088	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeRestorePrivilege	1724	7zFM.exe
Token: 35	1724	7zFM.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeSecurityPrivilege	1724	7zFM.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe
Token: SeCreatePagefilePrivilege	4088	chrome.exe
Token: SeShutdownPrivilege	4088	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
1724	7zFM.exe
1724	7zFM.exe
1724	7zFM.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe
4088	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3372	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4056	4088	chrome.exe	84
PID 4088 wrote to memory of 4056	4088	chrome.exe	84
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 3132	4088	chrome.exe	85
PID 4088 wrote to memory of 2540	4088	chrome.exe	86
PID 4088 wrote to memory of 2540	4088	chrome.exe	86
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87
PID 4088 wrote to memory of 1296	4088	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.mediafire.com/file/v04wcs9dlfq5ke0/VanishRaider-main.rar/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff9cb77cc40,0x7ff9cb77cc4c,0x7ff9cb77cc58
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3768,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4412,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3460,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5360,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5488,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3284,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4552,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5152,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5352,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3408,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5548,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5640,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5892,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5164,i,152098166413642613,14549143961636174002,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\VanishRaider-main.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VanishRaider-main\requirements.txt
1⤵
PID:1228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VanishRaider-main\tokens.txt
1⤵
PID:1644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VanishRaider-main\vanish.txt
1⤵
PID:4360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
22f5e144709fa0ae00fcfdbf6f02532b

SHA1
292d70c93c0f59de870ba91d140c4d5e150fe396

SHA256
f6c845dd9d79dc2599e2ba30b48e9791b5c5627473b9cff543e89247c2a75e94

SHA512
f3bde8d314f97ef0996ccd98adab75b9bd1222d160b5726795df602747e7aed594980c0713d7aad1e43bcdb0e34a76aebe20d20aaca63738987bd8999d8c55c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
17eb79ab2ce119ad56673bd8b5c758e8

SHA1
96c8d60b1f059807e6950acca51a1ea6d80acf68

SHA256
4eadeee4442f2688dbc359f3789d572f047b1730fa5fb695a50ec4a6aafd4b2f

SHA512
55a5c158d5234da658e56e8476148427162628af0966f396aab0619dcec368e303b0c495f99aeed173b4c7b1ba23d001b69d8d25489141cad496023b1bcd74f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6c540bb7f37edb1d7f9c144eed4e5629

SHA1
d7e23c52c88b946f3f72840abc2a44e2af5ff03d

SHA256
af2049b0d83adf56fb2cba1c1aed4317c1b37c214f752aa569290a4d7c0ec2cc

SHA512
331d27a42a0635ebf771d24ac8065b41032e7c662962cfb5dd399ca8434152fc39b127126dfb36f6e93f78051f744e1aae767474c27f70821471000f1e10fca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d1d29d331be4eb7b4fd3d6c4ae2dac9b

SHA1
619b42351ebc0a8c8aa511a41000600a775daa97

SHA256
c71a386fec16818603ab7fae64af7b1f822ea070e7f7cbcd472f3ecaf5162de1

SHA512
ec34ef390673bd35e30ef2bb4d0fbf812d8d2cbaae2e6953ed8551077e3a599edbc8c37fedb243d26c24bca206912165b03ddf5c5b0d7dee90b66939c88d5083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
4f343fee375dff8d6d80136bcf2ac99d

SHA1
eed688ea109e10c9c7bf78d550af6480aab77085

SHA256
de9b2b7db79a20bef93831116c4e516b6cfa8e0118356fea1751e7a7e44cb4f0

SHA512
b87ed45d4b81e36ecec89098c9942cb214f138fa1b04326e50d33df91b59fb0485f9db0c4558e8cfbeec4af66ade4e948e639fbcd46f68699be3e24101500b78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
883a4ac81f7ccd918b16e49748d53527

SHA1
4ee927df2d54c509b6a938ffe392abbb1ad2bf58

SHA256
d2b6605845674ac9e348e3ea262c6534fe082cb990a08e2609aa0b1e7f3d642a

SHA512
448ab1e32a65de66ec2133467149045f6565240687ef1ed89b8bec8487208d6585c28b720189cd3efa19560979a7356554a22d4a2c6d71913199bbde885dfb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ad5b60081fc2253ae1165281010ecfb4

SHA1
86a02941de37a919ee822cae0e600878ba09d33a

SHA256
491a7f8f9d51f4908e6914c2f29843b98533222df4d923e963869fb9ebcfb974

SHA512
b3ac6261854f597eaa5d3f69ec9352de1d52587dd7a5c828ef8900ed779abc8a7290a5a540cb9209c3a326ded82f5dbbcfffd4ebd6ba4b8dfeba3b9bcba5afae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b73f77fab38fd479e253b4039bde4675

SHA1
d6eaf5080b80f4343885fafebc9826a099cceb88

SHA256
60054b471da63e18d3743984502a7eba641242133254b8d79de1c02d7f6f1488

SHA512
d2987d3f131bb2f3d99f51e8ced2046c9e355bb66037bf9b3e659117801a620b2fb61ecbee039f9809f702a0d80ea18684bdc3a3775ed874a10b8eee4c372fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0933d6cfddc4fa4e1a674d8d660cb92f

SHA1
da5a33ff40c4fadaa86aa03c232136cd4a5441b8

SHA256
2f0be5973f7b9fd3680d4779a3ecd5de518c24b26762525fa78a60ff855443b6

SHA512
ec7634f3aa60eb352dc637438070840a20b08e57816b6f37ecb03d1f0d353e6fd042cab7efa3afaa75be8ecf5c37c0f029d0e7cc2cad56b113e1138c5155c97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1e58b2889c351568c29961910da75fd3

SHA1
1c387d187529151514f99f4c2f21da3cf8428dd0

SHA256
24992cb434e79dfc1c838a29063b7df9acc2e6e14640447fbb26af421a2e1673

SHA512
74696437f358f3b20e06b9190f80243a1b374ca427a7a78b4c318fced8fb44fb4b3d35a1c12b8475cc3292b0a4aa2ad9c7f3adb130211f64d9ef688437112471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2530ee461bcc23035f05d13e076869d9

SHA1
0a381f627b07c1555566f7a7a174b13a7922364a

SHA256
a90c91ba22ed487bdf9d5f5b311319a2cea437b732543b62fb14acfcf5121ba8

SHA512
9e63acf925bd2f8ab2a341c9b6320022c0b8b69ae02a5273bdf252a5dbec756569babe7cb54c6906c14f4ff583fc807c53e2a6da3db998da25d2f5178f4bb5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e5a01734bf711f7eedea284a353c7c2

SHA1
7211ac8ce506244ff7b7e7b611cc900a5899db3e

SHA256
794471b0335b6611e66590247c0a8523e603a2637e0b9cb0fc1ec1e504e19257

SHA512
fc78a94c5265e55b9223fda9d0123247445acefd223340c18b78ac69b39fba87599b05d8aaa0a24a521930c9291c8e8903e736ec628b7098c3f069f360c19abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8e5ac192761fa0deca23dc3b8112e4b8

SHA1
cab775386e611b5481e7992b43981a4a033746ac

SHA256
55e5ea301c73aeaf31b3580b5beb007c8a7a1ebb0c23009cb8133e87382d53e1

SHA512
15dfeebaf3956ab5c03b3644718d31ddebb4ca19f6b7de7e614a17a8fe54f0209a4682a442de82ffb2126f73a61ffe1b4b461da6b75af19f566558027b30035b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9e974460233c0ae47999c10044db7b81

SHA1
06fba9374d178127cf2d36d27a95c97caefd08fe

SHA256
90244482bf8b0b34b930b14292af5dfbaa37760f6211195999da26d7c4cf2683

SHA512
edb62da0daa419ecc13e5478191bc901a1356e1f7625cb67603ef6ad71a735094922467129a01f41f7f1fe341f5c733f2c6c9647f88efafac0cedcd826b2899c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c72ca111b1f10b5f43fb656ef40dc146

SHA1
6bb791f7a4544e68e6b6bb54af41fe62a98ee06a

SHA256
defefb43e4c00b7993e22c97dd7e32075e4bc6f26ff1fd428dad36d8f8591aed

SHA512
6e741bfe59d3765a2213003c354a97ec5675dac766ffc213450f7c7b2b5016af9ccf830bd35fa834ffb20603d58eb8bd05c3401b8ae4ba38da0765fb77385196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
317c84c28d81bec59d8b91a9c758073e

SHA1
4d607cd2c852f191d7958606c17329daf27adcc7

SHA256
d9252483fa6d64e5907143398b72710a3765db83b26403f09550de8d14579b37

SHA512
dd7ad9853224f2c1b3375ec336044b5580624aad78000cfe241fed47013c45f455eef1cdc7fe284b5399e4648e9f0ef62d6cc6c14bcb72fd579b25c8273955dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a13eb88d4658b4e4c568de377104fb83

SHA1
2b684eaa47b709d8a79b6c1f703b74cb1ee00d5d

SHA256
a81f5e38e8a3247210fe176569c63d972c071c1782c8e9de1c17c09e5bae669d

SHA512
a9597678697d3a86ef18d80a4f39be161740df5dde84ac94fb6f1950de8c21c1f2f236fd64cbb11c9852bc7732ed851713d53f33f806f030a094451c51da78c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
e5d393deb72cd1b8b9eb638bdf66f6a9

SHA1
57787566b7b19e10ac43e629a6e15716599108e1

SHA256
422f69163dcabe9f9f907766645c9c7e08fa931b0383c94d39cffb0f4cc124bd

SHA512
0f8fb7de86e782d3b96172c01e84a92988fbd08007abfe954d05dbf0be9801be8b8e0c8908ab5c495c1f0edfac1f83d8a39a78d4c79033fc41fcba338ce15657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
436fdceb8c9685f249fc52bf7b37195e

SHA1
0ab5afeee4c3ae99075f5af33ab8548137ee0bb8

SHA256
907a453dfe31ee63cfa35da810835de3b984a367cb88f3ddd67b92c5d0b39828

SHA512
4119054fd453fccaca7d92853b6c8b72c9bb92c514715b80739c9572d2a51e16f8954c76549d8e634e8a4bab5d7bde5896b632b9740ad1432a45f611d0104efe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
6a4de43f1de40d996030f8342fcba323

SHA1
12a0f08123302255276c8b8718f594af56748cbe

SHA256
0474141ebca0729c3e76cb831c9a8c3bacb1bdbdee4ff1dae6a547149fc10d29

SHA512
10d5037e001c177f5ff43fe513875b4feb270cf810c3fd36e7d6c439bd539d5ea617ea3af292f7a43e5b93364182777dfa24260b75f74f4c3885c395c7f87eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
121KB

MD5
c2b09a7e6c5814f285c82d2aa2da4c74

SHA1
f3a7d2c83cb129d1291cad601ea9732b220fbf43

SHA256
178273e56c439d1bd65c6ca37ed45e4d4cb8f1c5563a530f3fd89334da46a80c

SHA512
aef95477cfdcaffd16457b6c289c6414cac05d4f07bd95c5b15b74056db20c943201942240d630c7af3e3d2ab601a288dc268e1f127e9aef6e0b90ef5903f412

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main.rar

Filesize
61KB

MD5
3d15d9b5d05223d0b812f1f51eb05ecb

SHA1
7f0f19e7128f546193685be6efe39a2ec61d8175

SHA256
c39552926a046eca64dab7cafbc9002ae22d592cba749fa03b6416b4a299431d

SHA512
7c65b4fddf10687c119718d136e45c570c4a5f9bb2ddbb23731813b5975d79a91ec062d7722909ede8ced4ac5a6fdb654ca9f1780546f50400f5de095f088ef1

Download Submit
C:\Users\Admin\Downloads\VanishRaider-main\vanish.exe

Filesize
137KB

MD5
ac59764dee7fcebe61b0a9d70f87c1e1

SHA1
4faba8946b946a6eeb121561417ae13e4ec8c606

SHA256
c6487e1da77c82d40628312680ad43343cff5b92462ffeeffed30f46b23625ab

SHA512
b71f1dbc069ee6612b0d6a136d77080f919958e7a6bcdf65260e04ac5efc484042aca0716dda8199970bf7f2d0f4864a4888e3b0dcfd1ef858c615f839c3ac65

Download Submit