azorult | d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
Size

684KB
MD5

ab95b07eeb30a98ec33aa2cb0c8d7929
SHA1

6d8871a497703d5f7c5437c22d7cd73231460d44
SHA256

d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
SHA512

0a19d5f3f16ab4e675e7370d300902f8a947c1cdb1b64d85e5493d3664a0ade1e965fbb92d9397f75413968a5c288a7f9644b4adcdabe4df798b7faf0e3fbb3d
SSDEEP

12288:3hoqeAQCtaNBoQLsivV4aURL3LtRFOQBfVb08aOso295bl7k4FWVluBUZSaHyOCu:qPCk1BFe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://888security.ru/c0visteal/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 41 IoCs

pid	Process
2784	gPointer.exe
2712	gPointer.exe
2616	gPointer.exe
2032	gPointer.exe
2500	gPointer.exe
2476	gPointer.exe
2404	gPointer.exe
2460	gPointer.exe
556	gPointer.exe
1500	gPointer.exe
2796	gPointer.exe
1536	gPointer.exe
2204	gPointer.exe
1716	gPointer.exe
1340	gPointer.exe
2452	gPointer.exe
1360	gPointer.exe
1992	gPointer.exe
2280	gPointer.exe
2244	gPointer.exe
2332	gPointer.exe
3064	gPointer.exe
1604	gPointer.exe
3036	gPointer.exe
1816	gPointer.exe
1792	gPointer.exe
1564	gPointer.exe
748	gPointer.exe
1092	gPointer.exe
648	gPointer.exe
2444	gPointer.exe
1188	gPointer.exe
684	gPointer.exe
2904	gPointer.exe
1632	gPointer.exe
2108	gPointer.exe
2868	gPointer.exe
1820	gPointer.exe
2040	gPointer.exe
2736	gPointer.exe
2720	gPointer.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
2784	gPointer.exe
2712	gPointer.exe
2616	gPointer.exe
2032	gPointer.exe
2500	gPointer.exe
2476	gPointer.exe
2404	gPointer.exe
2460	gPointer.exe
556	gPointer.exe
1500	gPointer.exe
2796	gPointer.exe
1536	gPointer.exe
2204	gPointer.exe
1716	gPointer.exe
1340	gPointer.exe
2452	gPointer.exe
1360	gPointer.exe
1992	gPointer.exe
2280	gPointer.exe
2244	gPointer.exe
2332	gPointer.exe
3064	gPointer.exe
1604	gPointer.exe
3036	gPointer.exe
1816	gPointer.exe
1792	gPointer.exe
1564	gPointer.exe
748	gPointer.exe
1092	gPointer.exe
648	gPointer.exe
2444	gPointer.exe
1188	gPointer.exe
684	gPointer.exe
2904	gPointer.exe
1632	gPointer.exe
2868	gPointer.exe
1820	gPointer.exe
2040	gPointer.exe
2736	gPointer.exe
2720	gPointer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2784	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2784	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2784	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2784	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2712	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2712	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2712	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2712	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2616	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2616	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2616	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2616	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2032	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2032	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2032	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2032	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	33
PID 2072 wrote to memory of 2476	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	34
PID 2072 wrote to memory of 2476	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	34
PID 2072 wrote to memory of 2476	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	34
PID 2072 wrote to memory of 2476	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	34
PID 2072 wrote to memory of 2404	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	35
PID 2072 wrote to memory of 2404	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	35
PID 2072 wrote to memory of 2404	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	35
PID 2072 wrote to memory of 2404	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	35
PID 2072 wrote to memory of 2460	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	36
PID 2072 wrote to memory of 2460	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	36
PID 2072 wrote to memory of 2460	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	36
PID 2072 wrote to memory of 2460	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	36
PID 2072 wrote to memory of 2604	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	29
PID 2072 wrote to memory of 556	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	37
PID 2072 wrote to memory of 556	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	37
PID 2072 wrote to memory of 556	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	37
PID 2072 wrote to memory of 556	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	37
PID 2072 wrote to memory of 1500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	38
PID 2072 wrote to memory of 1500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	38
PID 2072 wrote to memory of 1500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	38
PID 2072 wrote to memory of 1500	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	38
PID 2072 wrote to memory of 2796	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2796	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2796	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	39
PID 2072 wrote to memory of 2796	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	39
PID 2072 wrote to memory of 1536	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	40
PID 2072 wrote to memory of 1536	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	40
PID 2072 wrote to memory of 1536	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	40
PID 2072 wrote to memory of 1536	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	40
PID 2072 wrote to memory of 2204	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	41
PID 2072 wrote to memory of 2204	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	41
PID 2072 wrote to memory of 2204	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	41
PID 2072 wrote to memory of 2204	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	41
PID 2072 wrote to memory of 1716	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	42
PID 2072 wrote to memory of 1716	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	42
PID 2072 wrote to memory of 1716	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	42
PID 2072 wrote to memory of 1716	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	42
PID 2072 wrote to memory of 1340	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	43
PID 2072 wrote to memory of 1340	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	43
PID 2072 wrote to memory of 1340	2072	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:748
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:648
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:684
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

Filesize
10B

MD5
33328fe0d452de1fcace924f428dc1a2

SHA1
18ba5cc6adcf53f5682da8f9d9648d7cb02d7bc8

SHA256
5b6c14f97f4f6ab7678b9589ce30cd8b60f3d366eafd1f24f617085d30e89e0f

SHA512
b697e1898f59e8914129b2f57f5cd0666716fdce80445b354a3fd626f8389ddb1abd3157d9b436e62f9b30a7130adb30fb92708ec1d9e2afae1904772d565371

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

Filesize
10B

MD5
fed345c574053e01772a93d6d0db6e6c

SHA1
3cccecb036da26a0773a02c8d5aa293635e52047

SHA256
c831d2f753a85cf3f365607dafd253996456b3a9bca605b8e2ca1b1910b68039

SHA512
4b062e5c2b098678f3aecafa60c48df0f0f806dc342c2df096df76767437e3f29cd700f147c29759ee159372cad384b635c6c937c49d19f3e969ebfa44fc33c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

Filesize
10B

MD5
2891518ec42935899e763f07ae89fb79

SHA1
72b9b72b3c2c9a256d81a69d60d56064875059ad

SHA256
8fa72887aa2625367b3bcde8bc2fe73adfbecd39f4ce8b936f1d7fb3469f63c3

SHA512
f6a41fd7855e99b672af16aebceba316790d3aa7e407b6d1e11d68adcb8aefe664e70bd2370d72c66dcb292e81eb9fd3ec775d0a7dc259aad1c09cd7fd5f2464

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

Filesize
10B

MD5
881609b31a187d1babbf4df645fda08f

SHA1
1b5fe961a3eb2de8d41d884fbc34d665f3a232a9

SHA256
1b713c59ea696158cda790542dafe750fce9ae710ad759ff429213f01bb20eb8

SHA512
8a38a724dfe92ea6a983dfb16cb9711fbd85a68bebd737434c3b6783d9b3f4d483ed5b00f452d59bfaf21656651ee8697ffd062584bf6e2c5a097b1a9ad6db81

Download Submit
\Users\Admin\AppData\Local\Temp\gPointer.exe

Filesize
20KB

MD5
e527bfc4146d390d4c83f44f5b92d628

SHA1
01238dd13d9d794ad8293cee82dcff85b6a832e8

SHA256
0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f

SHA512
75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

Download Submit
memory/2108-317-0x00000000771D0000-0x00000000772CA000-memory.dmp

Filesize
1000KB

Download
memory/2108-316-0x00000000772D0000-0x00000000773EF000-memory.dmp

Filesize
1.1MB

Download
memory/2604-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2604-355-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2604-356-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2604-357-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download