asyncrat | a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MailAcess Checker by xRisky.exe
Size

10.4MB
MD5

0bfe538046352ebb0d7b5fcd50a287ad
SHA1

e76a0b5d42648df99604079af74931a333703ef3
SHA256

a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9
SHA512

e938f69267ed773f26ec8b7d47d98b127c6f659ef04fde925484a1e755e20b435d61a2d3822274e23db48caaa1574c51ce3cb5c87c8c24109998bb0e0a58bfd2
SSDEEP

196608:+6JnRoCYJnksvvcHbMdYWSm2iLRoyru5Q2ZGe/QDbA0SnTbja57K4q6:FPoVJnpqi+6XySReIqHjaQ4q

Score

10^/10

asyncrat discovery evasion rat themida trojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Mutex

AsyncMutex_7SI8OkPnk

Attributes

delay
3
install
true
install_file
ContainerRuntime.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/Kb8rTgY7

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d00000001224d-24.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcess Checker by xRisky.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcess Checker by xRisky.exe

Executes dropped EXE 64 IoCs

pid	Process
2492	svchost.exe
2672	svchost.exe
2288	svchost.exe
1600	svchost.exe
1668	svchost.exe
1412	ContainerRuntime.exe
2256	svchost.exe
1228	ContainerRuntime.exe
2948	svchost.exe
2232	svchost.exe
3020	ContainerRuntime.exe
3044	svchost.exe
2376	ContainerRuntime.exe
2172	svchost.exe
2180	ContainerRuntime.exe
1600	ContainerRuntime.exe
3068	svchost.exe
2148	ContainerRuntime.exe
2800	svchost.exe
2080	ContainerRuntime.exe
2792	svchost.exe
1664	svchost.exe
1012	svchost.exe
2688	svchost.exe
700	ContainerRuntime.exe
644	ContainerRuntime.exe
1464	svchost.exe
2684	ContainerRuntime.exe
376	svchost.exe
1060	svchost.exe
2284	svchost.exe
1440	svchost.exe
2024	svchost.exe
2776	svchost.exe
2268	svchost.exe
2112	svchost.exe
408	svchost.exe
2476	svchost.exe
2772	svchost.exe
1516	svchost.exe
2644	svchost.exe
2916	svchost.exe
2888	svchost.exe
2732	svchost.exe
1624	svchost.exe
2420	svchost.exe
2328	svchost.exe
1760	svchost.exe
1132	svchost.exe
2884	svchost.exe
2204	svchost.exe
2488	svchost.exe
2336	svchost.exe
2836	svchost.exe
2164	svchost.exe
1240	svchost.exe
2096	svchost.exe
1680	svchost.exe
1828	svchost.exe
2760	svchost.exe
940	svchost.exe
1444	svchost.exe
2652	svchost.exe
2528	svchost.exe

Loads dropped DLL 64 IoCs

pid	Process
2440	MailAcess Checker by xRisky.exe
2496	MailAcess Checker by xRisky.exe
3000	MailAcess Checker by xRisky.exe
2828	MailAcess Checker by xRisky.exe
304	MailAcess Checker by xRisky.exe
2696	cmd.exe
2180	MailAcess Checker by xRisky.exe
564	cmd.exe
1572	MailAcess Checker by xRisky.exe
2744	MailAcess Checker by xRisky.exe
1536	cmd.exe
2648	MailAcess Checker by xRisky.exe
2912	cmd.exe
3036	MailAcess Checker by xRisky.exe
2168	cmd.exe
680	MailAcess Checker by xRisky.exe
1056	cmd.exe
2236	MailAcess Checker by xRisky.exe
2060	MailAcess Checker by xRisky.exe
2956	MailAcess Checker by xRisky.exe
3048	MailAcess Checker by xRisky.exe
2696	MailAcess Checker by xRisky.exe
1568	cmd.exe
2624	cmd.exe
2184	MailAcess Checker by xRisky.exe
2044	MailAcess Checker by xRisky.exe
2656	MailAcess Checker by xRisky.exe
3004	MailAcess Checker by xRisky.exe
2876	MailAcess Checker by xRisky.exe
2968	MailAcess Checker by xRisky.exe
2828	MailAcess Checker by xRisky.exe
2232	MailAcess Checker by xRisky.exe
2564	MailAcess Checker by xRisky.exe
1788	MailAcess Checker by xRisky.exe
468	MailAcess Checker by xRisky.exe
1448	MailAcess Checker by xRisky.exe
2668	MailAcess Checker by xRisky.exe
1464	MailAcess Checker by xRisky.exe
2672	MailAcess Checker by xRisky.exe
2824	MailAcess Checker by xRisky.exe
620	MailAcess Checker by xRisky.exe
1440	MailAcess Checker by xRisky.exe
944	MailAcess Checker by xRisky.exe
1828	MailAcess Checker by xRisky.exe
2108	MailAcess Checker by xRisky.exe
2372	MailAcess Checker by xRisky.exe
680	MailAcess Checker by xRisky.exe
936	MailAcess Checker by xRisky.exe
2536	MailAcess Checker by xRisky.exe
1116	MailAcess Checker by xRisky.exe
1328	MailAcess Checker by xRisky.exe
2076	MailAcess Checker by xRisky.exe
1640	MailAcess Checker by xRisky.exe
2804	MailAcess Checker by xRisky.exe
2980	MailAcess Checker by xRisky.exe
2180	MailAcess Checker by xRisky.exe
3040	MailAcess Checker by xRisky.exe
2864	MailAcess Checker by xRisky.exe
2936	MailAcess Checker by xRisky.exe
1544	MailAcess Checker by xRisky.exe
2188	MailAcess Checker by xRisky.exe
2812	MailAcess Checker by xRisky.exe
868	MailAcess Checker by xRisky.exe
1972	MailAcess Checker by xRisky.exe

Themida packer 63 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2440-17-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2440-18-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2440-36-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2496-42-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2496-41-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2496-58-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3000-63-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3000-64-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2828-80-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2828-81-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3000-83-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/304-110-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/304-111-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2180-132-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2180-133-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1572-161-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1572-162-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2744-191-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2744-192-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2648-217-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2648-218-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3036-228-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3036-229-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/680-288-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/680-289-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2236-312-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2236-313-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2060-325-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2060-324-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2956-335-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2956-336-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3048-347-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3048-346-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2696-364-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2696-365-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2184-401-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2184-402-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2044-418-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2044-419-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2656-429-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2656-430-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3004-440-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/3004-441-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2876-456-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2876-457-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2968-467-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2968-468-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2828-479-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2828-478-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2232-489-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2232-490-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2564-500-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2564-501-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1788-511-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1788-512-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/468-522-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/468-523-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1448-534-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1448-533-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2668-544-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/2668-545-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1464-559-0x0000000000050000-0x0000000001008000-memory.dmp	themida
behavioral1/memory/1464-560-0x0000000000050000-0x0000000001008000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcess Checker by xRisky.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2440	MailAcess Checker by xRisky.exe
2496	MailAcess Checker by xRisky.exe
3000	MailAcess Checker by xRisky.exe
2828	MailAcess Checker by xRisky.exe
304	MailAcess Checker by xRisky.exe
2180	MailAcess Checker by xRisky.exe
1572	MailAcess Checker by xRisky.exe
2744	MailAcess Checker by xRisky.exe
2648	MailAcess Checker by xRisky.exe
3036	MailAcess Checker by xRisky.exe
680	MailAcess Checker by xRisky.exe
2236	MailAcess Checker by xRisky.exe
2060	MailAcess Checker by xRisky.exe
2956	MailAcess Checker by xRisky.exe
3048	MailAcess Checker by xRisky.exe
2696	MailAcess Checker by xRisky.exe
2184	MailAcess Checker by xRisky.exe
2044	MailAcess Checker by xRisky.exe
2656	MailAcess Checker by xRisky.exe
3004	MailAcess Checker by xRisky.exe
2876	MailAcess Checker by xRisky.exe
2968	MailAcess Checker by xRisky.exe
2828	MailAcess Checker by xRisky.exe
2232	MailAcess Checker by xRisky.exe
2564	MailAcess Checker by xRisky.exe
1788	MailAcess Checker by xRisky.exe
468	MailAcess Checker by xRisky.exe
1448	MailAcess Checker by xRisky.exe
2668	MailAcess Checker by xRisky.exe
1464	MailAcess Checker by xRisky.exe
2672	MailAcess Checker by xRisky.exe
2824	MailAcess Checker by xRisky.exe
620	MailAcess Checker by xRisky.exe
1440	MailAcess Checker by xRisky.exe
944	MailAcess Checker by xRisky.exe
1828	MailAcess Checker by xRisky.exe
2372	MailAcess Checker by xRisky.exe
680	MailAcess Checker by xRisky.exe
936	MailAcess Checker by xRisky.exe
2536	MailAcess Checker by xRisky.exe
1116	MailAcess Checker by xRisky.exe
1328	MailAcess Checker by xRisky.exe
2076	MailAcess Checker by xRisky.exe
1640	MailAcess Checker by xRisky.exe
2804	MailAcess Checker by xRisky.exe
2980	MailAcess Checker by xRisky.exe
2180	MailAcess Checker by xRisky.exe
3040	MailAcess Checker by xRisky.exe
2864	MailAcess Checker by xRisky.exe
2936	MailAcess Checker by xRisky.exe
1544	MailAcess Checker by xRisky.exe
2188	MailAcess Checker by xRisky.exe
2812	MailAcess Checker by xRisky.exe
868	MailAcess Checker by xRisky.exe
1972	MailAcess Checker by xRisky.exe
2732	MailAcess Checker by xRisky.exe
1524	MailAcess Checker by xRisky.exe
316	MailAcess Checker by xRisky.exe
2692	MailAcess Checker by xRisky.exe
1560	MailAcess Checker by xRisky.exe
1652	MailAcess Checker by xRisky.exe
952	MailAcess Checker by xRisky.exe
2200	MailAcess Checker by xRisky.exe
2188	MailAcess Checker by xRisky.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 13 IoCs

evasion

pid	Process
2972	timeout.exe
844	timeout.exe
1060	timeout.exe
900	timeout.exe
2352	timeout.exe
844	timeout.exe
1248	timeout.exe
644	timeout.exe
1544	timeout.exe
1708	timeout.exe
1616	timeout.exe
1228	timeout.exe
2144	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2468	schtasks.exe
1428	schtasks.exe
1724	schtasks.exe
1420	schtasks.exe
1920	schtasks.exe
1884	schtasks.exe
1240	schtasks.exe
1420	schtasks.exe
1524	schtasks.exe
2220	schtasks.exe
836	schtasks.exe
2492	schtasks.exe
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
1600	svchost.exe
1600	svchost.exe
1600	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2232	svchost.exe
2232	svchost.exe
2232	svchost.exe
3044	svchost.exe
3044	svchost.exe
3044	svchost.exe
2172	svchost.exe
2172	svchost.exe
2172	svchost.exe
3068	svchost.exe
3068	svchost.exe
3068	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
644	ContainerRuntime.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	cmd.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	svchost.exe
Token: SeDebugPrivilege	2288	svchost.exe
Token: SeDebugPrivilege	1600	svchost.exe
Token: SeDebugPrivilege	1668	svchost.exe
Token: SeDebugPrivilege	2256	svchost.exe
Token: SeDebugPrivilege	2948	svchost.exe
Token: SeDebugPrivilege	2232	svchost.exe
Token: SeDebugPrivilege	3044	svchost.exe
Token: SeDebugPrivilege	2172	svchost.exe
Token: SeDebugPrivilege	3068	svchost.exe
Token: SeDebugPrivilege	2800	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1012	svchost.exe
Token: SeDebugPrivilege	644	ContainerRuntime.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
644	ContainerRuntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2492	2440	MailAcess Checker by xRisky.exe	30
PID 2440 wrote to memory of 2492	2440	MailAcess Checker by xRisky.exe	30
PID 2440 wrote to memory of 2492	2440	MailAcess Checker by xRisky.exe	30
PID 2440 wrote to memory of 2492	2440	MailAcess Checker by xRisky.exe	30
PID 2440 wrote to memory of 2496	2440	MailAcess Checker by xRisky.exe	31
PID 2440 wrote to memory of 2496	2440	MailAcess Checker by xRisky.exe	31
PID 2440 wrote to memory of 2496	2440	MailAcess Checker by xRisky.exe	31
PID 2440 wrote to memory of 2496	2440	MailAcess Checker by xRisky.exe	31
PID 2496 wrote to memory of 2672	2496	MailAcess Checker by xRisky.exe	33
PID 2496 wrote to memory of 2672	2496	MailAcess Checker by xRisky.exe	33
PID 2496 wrote to memory of 2672	2496	MailAcess Checker by xRisky.exe	33
PID 2496 wrote to memory of 2672	2496	MailAcess Checker by xRisky.exe	33
PID 2496 wrote to memory of 3000	2496	MailAcess Checker by xRisky.exe	34
PID 2496 wrote to memory of 3000	2496	MailAcess Checker by xRisky.exe	34
PID 2496 wrote to memory of 3000	2496	MailAcess Checker by xRisky.exe	34
PID 2496 wrote to memory of 3000	2496	MailAcess Checker by xRisky.exe	34
PID 3000 wrote to memory of 2288	3000	MailAcess Checker by xRisky.exe	35
PID 3000 wrote to memory of 2288	3000	MailAcess Checker by xRisky.exe	35
PID 3000 wrote to memory of 2288	3000	MailAcess Checker by xRisky.exe	35
PID 3000 wrote to memory of 2288	3000	MailAcess Checker by xRisky.exe	35
PID 3000 wrote to memory of 2828	3000	MailAcess Checker by xRisky.exe	36
PID 3000 wrote to memory of 2828	3000	MailAcess Checker by xRisky.exe	36
PID 3000 wrote to memory of 2828	3000	MailAcess Checker by xRisky.exe	36
PID 3000 wrote to memory of 2828	3000	MailAcess Checker by xRisky.exe	36
PID 2672 wrote to memory of 3048	2672	svchost.exe	37
PID 2672 wrote to memory of 3048	2672	svchost.exe	37
PID 2672 wrote to memory of 3048	2672	svchost.exe	37
PID 2672 wrote to memory of 3048	2672	svchost.exe	37
PID 2672 wrote to memory of 2696	2672	svchost.exe	39
PID 2672 wrote to memory of 2696	2672	svchost.exe	39
PID 2672 wrote to memory of 2696	2672	svchost.exe	39
PID 2672 wrote to memory of 2696	2672	svchost.exe	39
PID 3048 wrote to memory of 1812	3048	cmd.exe	41
PID 3048 wrote to memory of 1812	3048	cmd.exe	41
PID 3048 wrote to memory of 1812	3048	cmd.exe	41
PID 3048 wrote to memory of 1812	3048	cmd.exe	41
PID 2696 wrote to memory of 1248	2696	cmd.exe	42
PID 2696 wrote to memory of 1248	2696	cmd.exe	42
PID 2696 wrote to memory of 1248	2696	cmd.exe	42
PID 2696 wrote to memory of 1248	2696	cmd.exe	42
PID 2828 wrote to memory of 1600	2828	MailAcess Checker by xRisky.exe	43
PID 2828 wrote to memory of 1600	2828	MailAcess Checker by xRisky.exe	43
PID 2828 wrote to memory of 1600	2828	MailAcess Checker by xRisky.exe	43
PID 2828 wrote to memory of 1600	2828	MailAcess Checker by xRisky.exe	43
PID 2828 wrote to memory of 304	2828	MailAcess Checker by xRisky.exe	44
PID 2828 wrote to memory of 304	2828	MailAcess Checker by xRisky.exe	44
PID 2828 wrote to memory of 304	2828	MailAcess Checker by xRisky.exe	44
PID 2828 wrote to memory of 304	2828	MailAcess Checker by xRisky.exe	44
PID 304 wrote to memory of 1668	304	MailAcess Checker by xRisky.exe	45
PID 304 wrote to memory of 1668	304	MailAcess Checker by xRisky.exe	45
PID 304 wrote to memory of 1668	304	MailAcess Checker by xRisky.exe	45
PID 304 wrote to memory of 1668	304	MailAcess Checker by xRisky.exe	45
PID 304 wrote to memory of 2180	304	MailAcess Checker by xRisky.exe	46
PID 304 wrote to memory of 2180	304	MailAcess Checker by xRisky.exe	46
PID 304 wrote to memory of 2180	304	MailAcess Checker by xRisky.exe	46
PID 304 wrote to memory of 2180	304	MailAcess Checker by xRisky.exe	46
PID 2696 wrote to memory of 1412	2696	cmd.exe	47
PID 2696 wrote to memory of 1412	2696	cmd.exe	47
PID 2696 wrote to memory of 1412	2696	cmd.exe	47
PID 2696 wrote to memory of 1412	2696	cmd.exe	47
PID 2288 wrote to memory of 1552	2288	svchost.exe	48
PID 2288 wrote to memory of 1552	2288	svchost.exe	48
PID 2288 wrote to memory of 1552	2288	svchost.exe	48
PID 2288 wrote to memory of 1552	2288	svchost.exe	48

C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC0D.tmp.bat""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1248
    - - C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        5⤵
        Executes dropped EXE
        
        PID:1412
- - C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
    "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB68.tmp.bat""
        5⤵
        Loads dropped DLL
        
        PID:564
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:644
      - C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        6⤵
        Executes dropped EXE
        
        PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
      "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        6⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1420
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp.bat""
        6⤵
        Loads dropped DLL
        
        PID:1536
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        7⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF96C.tmp.bat""
        7⤵
        Loads dropped DLL
        
        PID:2912
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
      - C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        8⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp406.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2988
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.bat""
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        10⤵
        
        PID:304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1304.tmp.bat""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        11⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        12⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp17D4.tmp.bat""
        11⤵
        Loads dropped DLL
        
        PID:1056
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        10⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp209B.tmp.bat""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        13⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        11⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp.bat""
        13⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        12⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C93.tmp.bat""
        14⤵
        
        PID:956
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        13⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        14⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        14⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        16⤵
        
        PID:780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp479B.tmp.bat""
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        17⤵
        Delays execution with timeout.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        15⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        17⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp512C.tmp.bat""
        17⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
        18⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        16⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        17⤵
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        18⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        18⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        19⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        20⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        20⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        21⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        21⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        22⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        22⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        23⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        23⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        24⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        24⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        25⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        25⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        26⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        26⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        27⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        27⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        28⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        28⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        29⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        29⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        30⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        30⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        31⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        31⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        32⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        32⤵
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        33⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        34⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        34⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        35⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        36⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        36⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        37⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        38⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        38⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        39⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        39⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        40⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        40⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        41⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        41⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        42⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        42⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        43⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        43⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        44⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        44⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        45⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        46⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        47⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        47⤵
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        48⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        48⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        49⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        49⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        50⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        50⤵
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        51⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        51⤵
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        52⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        52⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        53⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        54⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        55⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        55⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        56⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        57⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        58⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        58⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        59⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        59⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        60⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        60⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        61⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        62⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        62⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        63⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        64⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        64⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        65⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        66⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        66⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        67⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        67⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        68⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        68⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        69⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
        70⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
130KB

MD5
dc5f27d5f080e77f1b205e80199d5c1f

SHA1
0de5aa944ad8e1e5f1f064235ebb16f87c806d78

SHA256
60a1f61c367696219175b73eccdc868c44090b227b47754454c9fc47a5848f62

SHA512
c650d22eca52a4e05a0d5791f08c7b636986b8685a74b3264eb3efa400e0a0f687b013c57a1b890fc8ce98644e5a66f5b4e924d79b4ac60087a5c220ab3467df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MailKit.dll

Filesize
787KB

MD5
ba0255f547fab7eed60863ad27d24c97

SHA1
a5d095ac3d746eb400a314317a88c215d78cc304

SHA256
5fd7f167bdf289ae48b9f0f68e63c07370427d4eb8436005a5859b5bba3a7d2b

SHA512
e672daa19be91d84e5f2e0124b0508faeb241c91c6515f687a55b20d8febb2e2360e695aaf2e1d252e9ed0d494f71087315199f7b43eb6fa13949484ee177ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dll

Filesize
305KB

MD5
0d30a398cec0ff006b6ea2b52d11e744

SHA1
4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

SHA256
8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

SHA512
8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MimeKit.dll

Filesize
971KB

MD5
695ef3be6c2169067e0f1d9f7d99bc27

SHA1
24185ff27f8a64fb71abf29b8f1338492cd7c0c6

SHA256
78d4f282269afba07ba89d1434dc1c3f9c48097fc252e93cf94e493ac8c109fd

SHA512
b3c7d1cee7f6ae16d66caf1d39113c0b5fe1b7ac4fb813134450679c82a2d306293799efc66c4d2ffed703dbc3921136f3cb393c2c4452791c8681129c74ed36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qoollo.Turbo.dll

Filesize
349KB

MD5
4e8246df4ee956ec273c4baa2054593c

SHA1
7847f523fefc14fec2c739c293593b673fb1c9d8

SHA256
1172732fd0fe6b679f5c6bf750598133dc815622c55ef1fa84087087bf42b495

SHA512
13398ea46879d533774e7ace1d3320ca60f7220277fcb2393c243ffeadbb5bb37900f87ac35b9eeb134e26e71068874b9eee226853a52d1528d5db761bcf22b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
61KB

MD5
89ae031a0e2f7f28576a63d3c100dcaf

SHA1
6b26dfe7e76fbc96109a4d0773593443277978df

SHA256
acaa87f43a617016d09caeb26c1e30d9e9fd069fcbe2165723f80a0056aaf6bf

SHA512
aea507c78832cca5bf4b7c16ac5ba9b4b87028d2a99fbd1ca535a6336952516ab74571475f2a074b89b9c12754a2979803a3aba74c7a326f2c70a8431a7010d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1304.tmp.bat

Filesize
160B

MD5
ce2baa0bf2f1cd5eb1a531604c65c029

SHA1
4dd050689c0340f773e55a9dc94b6317c7a697ba

SHA256
1bdc2df3412d44f302816a2384991c58e7633c5acb80ee0f4462d869cdef109f

SHA512
c9fd0707d9f321c3129fd8e1a39a325398be8c4ca97bea945144c951b76c44821c753ffca108517cb121e321b25c036f284708dae59c38efbbb025bb5e25819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17D4.tmp.bat

Filesize
160B

MD5
61cb3603dfcb338d52661f2fe3dffcd5

SHA1
e254aed6d35c99ce90f73f6bcc288ab700f84028

SHA256
d3d92f9ecb8b76071c1cab272c105a7ca5c1dd3af30b991518f41e13a9800038

SHA512
e3096d9320648c8ddba5d3eb4cdcfd159474c60914bcee8d485df99068ffe1c2dfc06cf55e3351a71cd8118798272a58a3314c17acf30f6808267d0cb9182ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp209B.tmp.bat

Filesize
160B

MD5
01426339683b3303e8f2aa6640e49b26

SHA1
9a538950d2e1f3c98de67fd4957e710682d7516c

SHA256
e2e29bf096c78820dbb7dea0ee0ecc41908da8e2a66e47066d53e0ea68822241

SHA512
f9d4cb3a6905c73b6c22c71d7e675f79c62b6b3847c5640bf281c4491e157ed75580bc1df2c2716904bb894a372d0e1492e9373c8eb5bb0ff2c671d4fdc2bf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3524.tmp.bat

Filesize
160B

MD5
0d884f5ae76ce6dabeeddcfbbee2c5c7

SHA1
4c912070d3228a72e012263de125d18770ac02fc

SHA256
59864eeb9de24f5d755e4e8088f9c5a08c0afdf146d8cef7c47a53f1a1cb0c99

SHA512
541bbd0ccf7db206bb880187193a6a7b0435866d2f856704cf6031e535fb3b9adbb3d64bb9494ca408c99600f16898916f9d5a3fabb6f59131948ddb809ea230

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C93.tmp.bat

Filesize
160B

MD5
8db35a179d48935f9fd200c3c4989e7d

SHA1
2b35bb7c6ab9038b8d4578dff354fb1c20d45c9d

SHA256
987d04b7972c2ab92b0d9c4b0c2bcb4f14afc296b03d57ed81446f8e143c8cd7

SHA512
ca8dfa018ab93eb1e747bc14796df7175f5a04ebd2be2cba4078eacd207decc7c335a9200ba3139cfa82a4a7c90d4115978720938f150ba55418b87c99d00cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp406.tmp.bat

Filesize
159B

MD5
aac290d5a2128437e4c323b819d2a1f0

SHA1
dd9407557dca43830815b380a80bd0bcfb3e6d76

SHA256
00b140fb7a32733ab7066a488e316ac5e7de04860af5374c954b9a37f2307826

SHA512
4782927aa8089c1f37ac939440994f60cd5fdaa40b5ada37c384185343d6fc4994d5e75fb8f60c3de21894695d5aba312a017844b5e80023e9dfcd50081c95fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp479B.tmp.bat

Filesize
160B

MD5
ebafb20de614732e694d2689cbc8f83d

SHA1
bd953c87ff70bd903885070c79b4dc6c2e05cb11

SHA256
703680ca6d50d5b567159ff100924a2aad302577f535019ef702aa9252e7face

SHA512
9396e99a24649357f5102783bf8446bb184f68117200c30dbebd1255b72e82108ccdda397a3e924102d58a0f29232cf587809c2f36986b95e835c74f8750203a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp512C.tmp.bat

Filesize
160B

MD5
f4373fe8f8bf032a6200c45ac87629ea

SHA1
d8010718508caadcbbcede28a691bbddb29ef4d3

SHA256
a9af1a0df54c7044a7e31e6282d98eb10b06a077568f10e8e70de0f4d9fa5546

SHA512
b62bb2198d3ed05fe33c5aed9e9403fa3e97a19c5cb99c730ded0390b76593639c8fb3d504381ee41a58bf2dc70c8e43c1cd9227fefa19215a7bd42fbeeaa0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.bat

Filesize
159B

MD5
4a974f234e414c0f23bb7f203c8d92a7

SHA1
8e4915384650b30c826bf5baead1b9f5a1784b95

SHA256
9e6639f3cfd0c7fd5485953b9f197e76e5ebc6f11c9a32c042db6cb127f84cfa

SHA512
da32ab774ae120f7eac64f611414862bc9622bd0d290bce45e5ae7c211edf8cba2d93ae1b14f1fccca3d1e58c650d6e00a265afe906c61f2d8bc85f535cdd776

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC0D.tmp.bat

Filesize
160B

MD5
be46142a048d54f636e081ed315b8f5f

SHA1
51fc23c070fac0077c2104f10852bc3e56d8f951

SHA256
b7b1c154c1987bb1e9231e08ab0a1b58a1e49ec01dd8e3eedebb15181bbda874

SHA512
3c9acab36c2bcf292bafd05fcabb6ec5d96d241520dfd12fcb76d2e3f59b46879194c5a92b8c43d9e41fb42462e8094b8f1964000df9bceb908d0f782992d3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB68.tmp.bat

Filesize
160B

MD5
75655e20cb39b13141df62feefdb4b1f

SHA1
a01d550805933fdaa84218cd6a71dccbddee5d1b

SHA256
bcaa997a6436e5eed0ec51ffff9515e71ae6074183760ae829c267339190d791

SHA512
07e7758b8d8facc31c481ebd32cdabfbc5ef95e2f85580b28f73bbef2f0bf31ef905541d041744ca06d1c44bb7c24036d07753cc87276c531d068ed1b22f1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp.bat

Filesize
160B

MD5
68f9910643b7437b8c819dc1b19bef7c

SHA1
29df1e9036b26fe19ca7a988c30ccfd8ec685c71

SHA256
40b3a469285d6621bc6d90bc7c7cc52465be8004b4010687f2bfd4490bf14748

SHA512
8d01da539eac0cd3113d0ac930d850dbe53da5837535af6e29a33292cf1da44d1df18b9dc08b69e6557598c31a79c8e463ca14829613ea530a03eae3a8111f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF96C.tmp.bat

Filesize
160B

MD5
c9ef5265c539ec891d648790e202d4a7

SHA1
775bcd347c8b777f5a25174a92aa24b7489e3a96

SHA256
017912f3fe5a3238362944837e604dcbf2d9d31e738dde318d87f290cfdb48c2

SHA512
74e7610c91e2f00fcfef451ea8f9e99708f762cac14f17f25c5b13624adadb74d357c263c083e1cee85c22d36194e979fe80f46bedb1fd96501340ef0e112bd0

Download Submit
memory/304-110-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/304-111-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/468-522-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/468-523-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/644-403-0x0000000001070000-0x0000000001086000-memory.dmp

Filesize
88KB

Download
memory/680-289-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/680-288-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/700-380-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/868-844-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/944-626-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1412-127-0x0000000000070000-0x0000000000086000-memory.dmp

Filesize
88KB

Download
memory/1448-534-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1448-533-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1448-540-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1464-408-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/1464-559-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1464-560-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1572-161-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1572-162-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1572-187-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1788-512-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/1788-511-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2044-418-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2044-419-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2044-425-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2060-325-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2060-324-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2148-314-0x0000000000E20000-0x0000000000E36000-memory.dmp

Filesize
88KB

Download
memory/2180-284-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/2180-132-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2180-133-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2184-402-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2184-401-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2232-496-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2232-490-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2232-489-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2236-312-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2236-313-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2284-446-0x0000000001290000-0x00000000012A6000-memory.dmp

Filesize
88KB

Download
memory/2376-239-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/2440-37-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-13-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-0-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2440-10-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-5-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-17-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2440-14-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-1-0x0000000076D81000-0x0000000076D82000-memory.dmp

Filesize
4KB

Download
memory/2440-18-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2440-32-0x0000000006A60000-0x0000000007A18000-memory.dmp

Filesize
15.7MB

Download
memory/2440-3-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-36-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2440-15-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-12-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-4-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-2-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-11-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-16-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2440-6-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2492-84-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2492-62-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2492-27-0x0000000076D70000-0x0000000076E80000-memory.dmp

Filesize
1.1MB

Download
memory/2492-26-0x0000000000FF0000-0x0000000001006000-memory.dmp

Filesize
88KB

Download
memory/2496-41-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2496-55-0x0000000006CC0000-0x0000000007C78000-memory.dmp

Filesize
15.7MB

Download
memory/2496-58-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2496-42-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2496-34-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2564-501-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2564-500-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2564-507-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2648-218-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2648-217-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2656-430-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2656-429-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2668-545-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2668-544-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2672-577-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2696-365-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2696-364-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2744-192-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2744-191-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2812-837-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2828-478-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2828-479-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2828-80-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2828-81-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2876-457-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2876-456-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2956-345-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2956-336-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2956-335-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2968-468-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/2968-467-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3000-63-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3000-83-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3000-56-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3000-64-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3004-440-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3004-441-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3020-216-0x0000000001100000-0x0000000001116000-memory.dmp

Filesize
88KB

Download
memory/3036-229-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3036-228-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3048-346-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3048-347-0x0000000000050000-0x0000000001008000-memory.dmp

Filesize
15.7MB

Download
memory/3068-302-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

Filesize
88KB

Download