Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-08-2024 09:42
General
-
Target
MailAcess Checker by xRisky.exe
-
Size
10.4MB
-
MD5
0bfe538046352ebb0d7b5fcd50a287ad
-
SHA1
e76a0b5d42648df99604079af74931a333703ef3
-
SHA256
a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9
-
SHA512
e938f69267ed773f26ec8b7d47d98b127c6f659ef04fde925484a1e755e20b435d61a2d3822274e23db48caaa1574c51ce3cb5c87c8c24109998bb0e0a58bfd2
-
SSDEEP
196608:+6JnRoCYJnksvvcHbMdYWSm2iLRoyru5Q2ZGe/QDbA0SnTbja57K4q6:FPoVJnpqi+6XySReIqHjaQ4q
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
| Edit 3LOSH RAT
Mutex
AsyncMutex_7SI8OkPnk
Attributes
-
delay
3
-
install
true
-
install_file
ContainerRuntime.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/Kb8rTgY7
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Themida packer 64 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB362.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE8D.tmp.bat""6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"7⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"9⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"12⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"14⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"15⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"15⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"16⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"17⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"17⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"18⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"19⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"19⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"20⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"21⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"21⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"22⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"23⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"23⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"24⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"24⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"25⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"26⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"26⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"27⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"27⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"28⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"28⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"29⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"30⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"30⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"31⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"31⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"32⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"32⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"33⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"34⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"35⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"35⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"36⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"37⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"37⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"38⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"39⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"40⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"40⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"41⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"42⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"43⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"44⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"44⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"45⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"45⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"46⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"47⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"47⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"48⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"48⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"49⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"49⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"50⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"51⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"51⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"52⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"53⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"54⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"55⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"56⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"56⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"57⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"57⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"58⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"59⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"60⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"60⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"61⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"61⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"62⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"62⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"63⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"63⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"64⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"64⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"65⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"65⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"66⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"66⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"67⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"67⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"68⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"68⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"69⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"69⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"70⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"70⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"71⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"71⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"72⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"72⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"73⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"73⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9
-
Filesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
Filesize
130KB
MD5dc5f27d5f080e77f1b205e80199d5c1f
SHA10de5aa944ad8e1e5f1f064235ebb16f87c806d78
SHA25660a1f61c367696219175b73eccdc868c44090b227b47754454c9fc47a5848f62
SHA512c650d22eca52a4e05a0d5791f08c7b636986b8685a74b3264eb3efa400e0a0f687b013c57a1b890fc8ce98644e5a66f5b4e924d79b4ac60087a5c220ab3467df
-
Filesize
787KB
MD5ba0255f547fab7eed60863ad27d24c97
SHA1a5d095ac3d746eb400a314317a88c215d78cc304
SHA2565fd7f167bdf289ae48b9f0f68e63c07370427d4eb8436005a5859b5bba3a7d2b
SHA512e672daa19be91d84e5f2e0124b0508faeb241c91c6515f687a55b20d8febb2e2360e695aaf2e1d252e9ed0d494f71087315199f7b43eb6fa13949484ee177ea0
-
Filesize
305KB
MD50d30a398cec0ff006b6ea2b52d11e744
SHA14ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45
SHA2568604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654
SHA5128e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc
-
Filesize
971KB
MD5695ef3be6c2169067e0f1d9f7d99bc27
SHA124185ff27f8a64fb71abf29b8f1338492cd7c0c6
SHA25678d4f282269afba07ba89d1434dc1c3f9c48097fc252e93cf94e493ac8c109fd
SHA512b3c7d1cee7f6ae16d66caf1d39113c0b5fe1b7ac4fb813134450679c82a2d306293799efc66c4d2ffed703dbc3921136f3cb393c2c4452791c8681129c74ed36
-
Filesize
349KB
MD54e8246df4ee956ec273c4baa2054593c
SHA17847f523fefc14fec2c739c293593b673fb1c9d8
SHA2561172732fd0fe6b679f5c6bf750598133dc815622c55ef1fa84087087bf42b495
SHA51213398ea46879d533774e7ace1d3320ca60f7220277fcb2393c243ffeadbb5bb37900f87ac35b9eeb134e26e71068874b9eee226853a52d1528d5db761bcf22b7
-
Filesize
61KB
MD589ae031a0e2f7f28576a63d3c100dcaf
SHA16b26dfe7e76fbc96109a4d0773593443277978df
SHA256acaa87f43a617016d09caeb26c1e30d9e9fd069fcbe2165723f80a0056aaf6bf
SHA512aea507c78832cca5bf4b7c16ac5ba9b4b87028d2a99fbd1ca535a6336952516ab74571475f2a074b89b9c12754a2979803a3aba74c7a326f2c70a8431a7010d6
-
Filesize
160B
MD5e77ad31bc5f374509a58d6fa2f615f8c
SHA148803c2ac246abe2fb1e4d681a35a4c9a73e970b
SHA256ccf73d269a1fdce91e714b228727c62d83d8e80cdebe5c6d9ae5dcf9a09a0a02
SHA5124db4140a61b2e117d789c9c9897739c5e2cec1fa45b6d7b30638c11d742f1aea9224b3b53c27b478e3a6dd62568be0968a279fd19fb3795bd596c4b246d9fa89
-
Filesize
160B
MD50174216b85436153177a576fca992207
SHA1e4bfaaea0172c79c488f67e297c872c5dc82aaf6
SHA256c991f97535cc3f9da3cf02962e16a90d76fa858bce6224d039ef8239adfe60ff
SHA51220058ab55cc4659b6accb0a8d9efb544602b02d93089a773721cd00a147903faabb1261d74538528e5e289dcc9b0ebfaa5902d06f3acb0fdda106f61965677bb
-
Filesize
160B
MD5f66f598191e5bea61e432d61ebc2dbc9
SHA1241ba3e64df7799de336ee18f5be59ce286f5a74
SHA2568d3f34501ccad67e1d7e8bb8e1b96af02dd5e1f67f1f70e643a20764579320c6
SHA5128b1c12671ae19e8b385ba2f27cc536b40c65895f3b5fa40fce1575e7b3e846a0421b0e220d4f96cd83096b5ca7b558b2b9bbb1625106d2a292da948e90fe573d
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
624KB
-
Filesize
960KB
-
Filesize
88KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
15.7MB