Analysis
-
max time kernel
340s -
max time network
336s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
26-03-2023 11:20
General
-
Target
AridekVM.exe
-
Size
12.9MB
-
MD5
7550996532016fa5bb2e7fcee4fbf1a4
-
SHA1
e0f0d2b17c03477196209ee9635f2a11283027d8
-
SHA256
c0afd7d86cb0586db959d19db36345676437acb53140ea9d91e6201041cadae7
-
SHA512
935714dc724e7c3e0f02fff28e0cf8c4eec81a3ea2c3c79669e99837fc77ac15e62456cda11771943c578075a6c74e6d01512c7e90048d527c96f60df18ef131
-
SSDEEP
196608:dEGgxWcn/V+7huajaJ+RWgKf4it0d3sbPKjGyhZvEwrPjVlQozzB4dDTe:dEjxWKNihNaJEW4Wis+DMwnQxi
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Themida packer 21 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AridekVM.exe"C:\Users\Admin\AppData\Local\Temp\AridekVM.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AridekVM.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AridekVM.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.0.1451212117\1157802808" -parentBuildID 20221007134813 -prefsHandle 1796 -prefMapHandle 1716 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f42db0e-a2ae-4c35-8f89-ca04a17ea2fd} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 1876 1ff7eaa8558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.1.361365819\1380624743" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b3138cc-d968-468b-be13-4b7bdf534e01} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 2276 1ff70b72b58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.2.470606807\580174337" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 2920 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70647755-d0d2-405a-a112-55593eef239a} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 2944 1ff01d4ea58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.3.984405546\1942964758" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e80f16-e855-49f2-b8a0-20f27aa89927} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 1248 1ff006f5258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.4.1254461431\1314037838" -childID 3 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227ac634-af89-4e25-916b-c77725f9b818} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 4000 1ff7ef60b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.5.1327313369\1030665528" -childID 4 -isForBrowser -prefsHandle 4924 -prefMapHandle 4972 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a3fa6f-7c7f-4c9e-95e6-705c5eb569a8} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 4932 1ff043cf858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.7.1406041067\1838151294" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb9515d2-843e-47d9-bd54-7e71d00fa5c2} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5300 1ff04628b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.6.1819627406\2124827467" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29749f0c-bcfe-4c37-a8a4-2aaae888fc54} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 4968 1ff045e5e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.8.1049738860\84341673" -childID 7 -isForBrowser -prefsHandle 3660 -prefMapHandle 3644 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d12ce7c-fb59-4228-aeb7-70ce3e4070a0} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3516 1ff02b4fa58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.9.1627096041\341556374" -parentBuildID 20221007134813 -prefsHandle 9908 -prefMapHandle 9956 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e99c2ea-8c42-4398-8580-3c9d65200f56} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 9912 1ff0687e358 rdd3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.10.1301698300\1708949970" -childID 8 -isForBrowser -prefsHandle 9740 -prefMapHandle 9744 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {290610ed-120e-40ba-8c55-e219dfb64789} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 9728 1ff06941b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.11.1872308860\211231883" -childID 9 -isForBrowser -prefsHandle 9516 -prefMapHandle 9604 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44c2844-2f77-4939-b74f-bce5d4549242} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 9736 1ff06943c58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.13.546943765\59644314" -childID 11 -isForBrowser -prefsHandle 9068 -prefMapHandle 9064 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e6eb63-6ee3-4a02-b1b4-d45e69554b74} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 9076 1ff043d2858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.12.294794425\1455249561" -childID 10 -isForBrowser -prefsHandle 5932 -prefMapHandle 5928 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f03ccf-3d77-4fc5-ae53-63862d18fdab} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5852 1ff03fa6d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.14.1132673163\47150866" -childID 12 -isForBrowser -prefsHandle 5944 -prefMapHandle 3648 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1df63d2-8ee0-4ee9-aca8-331f732f433f} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5904 1ff05e0a258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.15.1256432239\1116695481" -childID 13 -isForBrowser -prefsHandle 8532 -prefMapHandle 8536 -prefsLen 26970 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a45f180b-67d2-4780-810f-eca0a13558cc} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 8568 1ff078fba58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.18.2050247526\348689932" -childID 16 -isForBrowser -prefsHandle 7892 -prefMapHandle 7888 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe9cdc1-0008-4ce7-8fc0-5c08162af632} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 7900 1ff084f8858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.17.1485980453\1081138100" -childID 15 -isForBrowser -prefsHandle 7992 -prefMapHandle 7996 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c7bb4e-b37f-4e12-bdcb-12f802692783} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 8244 1ff084faf58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.16.1197777654\768522171" -childID 14 -isForBrowser -prefsHandle 8184 -prefMapHandle 8188 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d564189-955a-443b-ad4e-57c7caeaae0b} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 8236 1ff0853ed58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.20.122835146\451029602" -childID 18 -isForBrowser -prefsHandle 7380 -prefMapHandle 8988 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2bd4b2-c118-4311-ba17-11e113b2eda4} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 7372 1ff074a0a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.19.1744320374\1290468388" -childID 17 -isForBrowser -prefsHandle 7608 -prefMapHandle 7612 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09610258-db17-41cb-aa26-d34378d027e9} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 7600 1ff07b1f258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.23.1017905651\1006031749" -childID 21 -isForBrowser -prefsHandle 8048 -prefMapHandle 8060 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f27c7b-bd13-48bf-9b31-3d0b5920493f} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6836 1ff0687fb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.22.143988461\521424600" -childID 20 -isForBrowser -prefsHandle 6952 -prefMapHandle 6956 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff9ae086-5c07-407a-8789-8d5260c32bca} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 7040 1ff00b99458 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.21.789115669\1112324323" -childID 19 -isForBrowser -prefsHandle 7232 -prefMapHandle 9212 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b2bcc0f-35ef-4c16-a8ca-1d8226996654} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 8676 1ff06df1b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.24.992990460\1677740475" -childID 22 -isForBrowser -prefsHandle 7040 -prefMapHandle 6800 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {152ad915-6816-49a2-bc27-4e08adc05c49} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6572 1ff08d3f758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.25.1995238204\536710164" -childID 23 -isForBrowser -prefsHandle 6528 -prefMapHandle 6524 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {484bb7f3-1ca7-4d9d-9385-3c20aa7ac687} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6436 1ff08d41258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.27.1750253842\2046112074" -childID 25 -isForBrowser -prefsHandle 6040 -prefMapHandle 6468 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {922b7865-34ea-4745-b8c6-6ab3eab6db22} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6124 1ff09264d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.28.1856222737\1360221764" -childID 26 -isForBrowser -prefsHandle 10096 -prefMapHandle 10092 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f8a8f47-b45c-4373-ade4-7fa9ab3c43e1} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10108 1ff09dbbb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.26.615306662\1698470090" -childID 24 -isForBrowser -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f473586-ae8b-4ee4-9664-9a366a7fdf5b} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6468 1ff09afdf58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.29.765129894\14605835" -childID 27 -isForBrowser -prefsHandle 10408 -prefMapHandle 10412 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3415be1-28d2-4792-9b6e-aeedf8f0ae5a} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10428 1ff06df2758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.30.1160298960\166790736" -childID 28 -isForBrowser -prefsHandle 10360 -prefMapHandle 10364 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {418ccdd6-d896-4df1-821e-7aed752e56bd} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10352 1ff06ed3158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.31.903885440\158393425" -childID 29 -isForBrowser -prefsHandle 10660 -prefMapHandle 10656 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {521c5aee-9787-4d3a-8b40-c115546c0e8c} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10672 1ff078fb458 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.32.1639537154\1056890523" -childID 30 -isForBrowser -prefsHandle 10808 -prefMapHandle 10812 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa46d35f-446f-4e8c-b389-b4bb99985663} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10796 1ff07cbdd58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.33.736531382\1939997765" -childID 31 -isForBrowser -prefsHandle 4704 -prefMapHandle 11052 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2de80c8-b9d4-4df2-9627-7dd8e607248b} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 6528 1ff084fb558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.34.1513106769\1873205306" -childID 32 -isForBrowser -prefsHandle 11136 -prefMapHandle 11140 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {429d9907-fa3d-488e-b6a2-9c4016e466b8} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10620 1ff09325558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.35.1493589516\564302803" -childID 33 -isForBrowser -prefsHandle 10292 -prefMapHandle 10296 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83020991-6715-4a61-ad90-3e6122302f15} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 10232 1ff07e81e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.36.842157928\1551405816" -childID 34 -isForBrowser -prefsHandle 11072 -prefMapHandle 11188 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e99614c-0b74-489d-8dff-26a2057d8bd8} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 11052 1ff09327358 tab3⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19959:90:7zEvent235271⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\patcher.exe"C:\Users\Admin\Desktop\patcher.exe" C:\Users\Admin\Desktop\AridekVM.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\AridekVM.exeC:\Users\Admin\Desktop\AridekVM.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7972 -s 5003⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 7972 -ip 79721⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD513157b6eb24b2e852af360aba50bcb46
SHA1185bab6a663fdf6a72fadf0ce27931166b915483
SHA25648a8c1e32d9ab5fca2fc1a68952e603c2bf64bef99f738cd6e7d11faaa7baf29
SHA512c701b34dfe36b4cfca83177401a4ac4d6bb1eac80d539012e835a4960a60bc2123eda078a09d77031ddbbddfcdfb11bac61c062a8d4390a7d77da7f20dbb42a0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojildlin.drp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\AridekVM.exeFilesize
12.9MB
MD57550996532016fa5bb2e7fcee4fbf1a4
SHA1e0f0d2b17c03477196209ee9635f2a11283027d8
SHA256c0afd7d86cb0586db959d19db36345676437acb53140ea9d91e6201041cadae7
SHA512935714dc724e7c3e0f02fff28e0cf8c4eec81a3ea2c3c79669e99837fc77ac15e62456cda11771943c578075a6c74e6d01512c7e90048d527c96f60df18ef131
-
C:\Users\Admin\Desktop\AridekVM.exeFilesize
12.9MB
MD57550996532016fa5bb2e7fcee4fbf1a4
SHA1e0f0d2b17c03477196209ee9635f2a11283027d8
SHA256c0afd7d86cb0586db959d19db36345676437acb53140ea9d91e6201041cadae7
SHA512935714dc724e7c3e0f02fff28e0cf8c4eec81a3ea2c3c79669e99837fc77ac15e62456cda11771943c578075a6c74e6d01512c7e90048d527c96f60df18ef131
-
C:\Users\Admin\Desktop\patcher.exeFilesize
18KB
MD553343c8133f139d2ea7b8b5b26b723f7
SHA1a5dac256f151e392bc1aad5356b31eb3b75beaa3
SHA256410e4129d0d1e3eec35a63c44c8bc7f4eff9e88e8ad8cb7f971ea17bf124640a
SHA5120cd51ea3f5b463adc1097b3ef9cb6d36aa38e9416bb799e615381d497c77eb877f5400346b93771bb81fd3a6f2275cf06a15f7074555e981ef0e20666d11c8f7
-
C:\Users\Admin\Desktop\patcher.exeFilesize
18KB
MD553343c8133f139d2ea7b8b5b26b723f7
SHA1a5dac256f151e392bc1aad5356b31eb3b75beaa3
SHA256410e4129d0d1e3eec35a63c44c8bc7f4eff9e88e8ad8cb7f971ea17bf124640a
SHA5120cd51ea3f5b463adc1097b3ef9cb6d36aa38e9416bb799e615381d497c77eb877f5400346b93771bb81fd3a6f2275cf06a15f7074555e981ef0e20666d11c8f7
-
memory/4144-150-0x000001D73E2D0000-0x000001D73E2F2000-memory.dmpFilesize
136KB
-
memory/4144-152-0x000001D724810000-0x000001D724820000-memory.dmpFilesize
64KB
-
memory/4144-151-0x000001D724810000-0x000001D724820000-memory.dmpFilesize
64KB
-
memory/5088-138-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-134-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-140-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-155-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-156-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-157-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-158-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-139-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-133-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-137-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-135-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/5088-136-0x00007FF659F40000-0x00007FF65B941000-memory.dmpFilesize
26.0MB
-
memory/7328-193-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-196-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-192-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-197-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-198-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-195-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-194-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-187-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-188-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7328-186-0x00000295EB2A0000-0x00000295EB2A1000-memory.dmpFilesize
4KB
-
memory/7972-178-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-179-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-184-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-180-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-183-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-182-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB
-
memory/7972-181-0x00007FF6E7CB0000-0x00007FF6E96B1000-memory.dmpFilesize
26.0MB