Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
-
Size
684KB
-
MD5
ab95b07eeb30a98ec33aa2cb0c8d7929
-
SHA1
6d8871a497703d5f7c5437c22d7cd73231460d44
-
SHA256
d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
-
SHA512
0a19d5f3f16ab4e675e7370d300902f8a947c1cdb1b64d85e5493d3664a0ade1e965fbb92d9397f75413968a5c288a7f9644b4adcdabe4df798b7faf0e3fbb3d
-
SSDEEP
12288:3hoqeAQCtaNBoQLsivV4aURL3LtRFOQBfVb08aOso295bl7k4FWVluBUZSaHyOCu:qPCk1BFe
Malware Config
Extracted
azorult
http://888security.ru/c0visteal/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 41 IoCs
pid Process 2784 gPointer.exe 2712 gPointer.exe 2616 gPointer.exe 2032 gPointer.exe 2500 gPointer.exe 2476 gPointer.exe 2404 gPointer.exe 2460 gPointer.exe 556 gPointer.exe 1500 gPointer.exe 2796 gPointer.exe 1536 gPointer.exe 2204 gPointer.exe 1716 gPointer.exe 1340 gPointer.exe 2452 gPointer.exe 1360 gPointer.exe 1992 gPointer.exe 2280 gPointer.exe 2244 gPointer.exe 2332 gPointer.exe 3064 gPointer.exe 1604 gPointer.exe 3036 gPointer.exe 1816 gPointer.exe 1792 gPointer.exe 1564 gPointer.exe 748 gPointer.exe 1092 gPointer.exe 648 gPointer.exe 2444 gPointer.exe 1188 gPointer.exe 684 gPointer.exe 2904 gPointer.exe 1632 gPointer.exe 2108 gPointer.exe 2868 gPointer.exe 1820 gPointer.exe 2040 gPointer.exe 2736 gPointer.exe 2720 gPointer.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2072 set thread context of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 2784 gPointer.exe 2712 gPointer.exe 2616 gPointer.exe 2032 gPointer.exe 2500 gPointer.exe 2476 gPointer.exe 2404 gPointer.exe 2460 gPointer.exe 556 gPointer.exe 1500 gPointer.exe 2796 gPointer.exe 1536 gPointer.exe 2204 gPointer.exe 1716 gPointer.exe 1340 gPointer.exe 2452 gPointer.exe 1360 gPointer.exe 1992 gPointer.exe 2280 gPointer.exe 2244 gPointer.exe 2332 gPointer.exe 3064 gPointer.exe 1604 gPointer.exe 3036 gPointer.exe 1816 gPointer.exe 1792 gPointer.exe 1564 gPointer.exe 748 gPointer.exe 1092 gPointer.exe 648 gPointer.exe 2444 gPointer.exe 1188 gPointer.exe 684 gPointer.exe 2904 gPointer.exe 1632 gPointer.exe 2868 gPointer.exe 1820 gPointer.exe 2040 gPointer.exe 2736 gPointer.exe 2720 gPointer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2784 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2784 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2784 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2784 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 PID 2072 wrote to memory of 2712 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2712 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2712 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2712 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 30 PID 2072 wrote to memory of 2616 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 31 PID 2072 wrote to memory of 2616 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 31 PID 2072 wrote to memory of 2616 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 31 PID 2072 wrote to memory of 2616 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 31 PID 2072 wrote to memory of 2032 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 32 PID 2072 wrote to memory of 2032 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 32 PID 2072 wrote to memory of 2032 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 32 PID 2072 wrote to memory of 2032 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 32 PID 2072 wrote to memory of 2500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 33 PID 2072 wrote to memory of 2500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 33 PID 2072 wrote to memory of 2500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 33 PID 2072 wrote to memory of 2500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 33 PID 2072 wrote to memory of 2476 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 34 PID 2072 wrote to memory of 2476 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 34 PID 2072 wrote to memory of 2476 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 34 PID 2072 wrote to memory of 2476 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 34 PID 2072 wrote to memory of 2404 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 35 PID 2072 wrote to memory of 2404 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 35 PID 2072 wrote to memory of 2404 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 35 PID 2072 wrote to memory of 2404 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 35 PID 2072 wrote to memory of 2460 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 36 PID 2072 wrote to memory of 2460 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 36 PID 2072 wrote to memory of 2460 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 36 PID 2072 wrote to memory of 2460 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 36 PID 2072 wrote to memory of 2604 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 29 PID 2072 wrote to memory of 556 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 37 PID 2072 wrote to memory of 556 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 37 PID 2072 wrote to memory of 556 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 37 PID 2072 wrote to memory of 556 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 37 PID 2072 wrote to memory of 1500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 38 PID 2072 wrote to memory of 1500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 38 PID 2072 wrote to memory of 1500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 38 PID 2072 wrote to memory of 1500 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 38 PID 2072 wrote to memory of 2796 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 39 PID 2072 wrote to memory of 2796 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 39 PID 2072 wrote to memory of 2796 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 39 PID 2072 wrote to memory of 2796 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 39 PID 2072 wrote to memory of 1536 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 40 PID 2072 wrote to memory of 1536 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 40 PID 2072 wrote to memory of 1536 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 40 PID 2072 wrote to memory of 1536 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 40 PID 2072 wrote to memory of 2204 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 41 PID 2072 wrote to memory of 2204 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 41 PID 2072 wrote to memory of 2204 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 41 PID 2072 wrote to memory of 2204 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 41 PID 2072 wrote to memory of 1716 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 42 PID 2072 wrote to memory of 1716 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 42 PID 2072 wrote to memory of 1716 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 42 PID 2072 wrote to memory of 1716 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 42 PID 2072 wrote to memory of 1340 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 43 PID 2072 wrote to memory of 1340 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 43 PID 2072 wrote to memory of 1340 2072 ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"2⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1092
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:648
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\gPointer.exeC:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10B
MD533328fe0d452de1fcace924f428dc1a2
SHA118ba5cc6adcf53f5682da8f9d9648d7cb02d7bc8
SHA2565b6c14f97f4f6ab7678b9589ce30cd8b60f3d366eafd1f24f617085d30e89e0f
SHA512b697e1898f59e8914129b2f57f5cd0666716fdce80445b354a3fd626f8389ddb1abd3157d9b436e62f9b30a7130adb30fb92708ec1d9e2afae1904772d565371
-
Filesize
10B
MD5fed345c574053e01772a93d6d0db6e6c
SHA13cccecb036da26a0773a02c8d5aa293635e52047
SHA256c831d2f753a85cf3f365607dafd253996456b3a9bca605b8e2ca1b1910b68039
SHA5124b062e5c2b098678f3aecafa60c48df0f0f806dc342c2df096df76767437e3f29cd700f147c29759ee159372cad384b635c6c937c49d19f3e969ebfa44fc33c5
-
Filesize
10B
MD52891518ec42935899e763f07ae89fb79
SHA172b9b72b3c2c9a256d81a69d60d56064875059ad
SHA2568fa72887aa2625367b3bcde8bc2fe73adfbecd39f4ce8b936f1d7fb3469f63c3
SHA512f6a41fd7855e99b672af16aebceba316790d3aa7e407b6d1e11d68adcb8aefe664e70bd2370d72c66dcb292e81eb9fd3ec775d0a7dc259aad1c09cd7fd5f2464
-
Filesize
10B
MD5881609b31a187d1babbf4df645fda08f
SHA11b5fe961a3eb2de8d41d884fbc34d665f3a232a9
SHA2561b713c59ea696158cda790542dafe750fce9ae710ad759ff429213f01bb20eb8
SHA5128a38a724dfe92ea6a983dfb16cb9711fbd85a68bebd737434c3b6783d9b3f4d483ed5b00f452d59bfaf21656651ee8697ffd062584bf6e2c5a097b1a9ad6db81
-
Filesize
20KB
MD5e527bfc4146d390d4c83f44f5b92d628
SHA101238dd13d9d794ad8293cee82dcff85b6a832e8
SHA2560ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f
SHA51275fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8