azorult | d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629

Analysis

max time kernel
137s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
Size

684KB
MD5

ab95b07eeb30a98ec33aa2cb0c8d7929
SHA1

6d8871a497703d5f7c5437c22d7cd73231460d44
SHA256

d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
SHA512

0a19d5f3f16ab4e675e7370d300902f8a947c1cdb1b64d85e5493d3664a0ade1e965fbb92d9397f75413968a5c288a7f9644b4adcdabe4df798b7faf0e3fbb3d
SSDEEP

12288:3hoqeAQCtaNBoQLsivV4aURL3LtRFOQBfVb08aOso295bl7k4FWVluBUZSaHyOCu:qPCk1BFe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://888security.ru/c0visteal/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 41 IoCs

pid	Process
4524	gPointer.exe
464	gPointer.exe
5116	gPointer.exe
3132	gPointer.exe
4780	gPointer.exe
2088	gPointer.exe
3684	gPointer.exe
1436	gPointer.exe
4232	gPointer.exe
1096	gPointer.exe
2724	gPointer.exe
1036	gPointer.exe
4836	gPointer.exe
2568	gPointer.exe
3820	gPointer.exe
4776	gPointer.exe
3780	gPointer.exe
3580	gPointer.exe
1188	gPointer.exe
3840	gPointer.exe
4412	gPointer.exe
4548	gPointer.exe
1684	gPointer.exe
2496	gPointer.exe
4320	gPointer.exe
3544	gPointer.exe
4400	gPointer.exe
696	gPointer.exe
4748	gPointer.exe
4060	gPointer.exe
5004	gPointer.exe
3888	gPointer.exe
4780	gPointer.exe
2088	gPointer.exe
4360	gPointer.exe
1436	gPointer.exe
4076	gPointer.exe
4848	gPointer.exe
3396	gPointer.exe
1036	gPointer.exe
4788	gPointer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
4524	gPointer.exe
464	gPointer.exe
5116	gPointer.exe
3132	gPointer.exe
4780	gPointer.exe
2088	gPointer.exe
3684	gPointer.exe
1436	gPointer.exe
4232	gPointer.exe
1096	gPointer.exe
2724	gPointer.exe
1036	gPointer.exe
4836	gPointer.exe
2568	gPointer.exe
3820	gPointer.exe
4776	gPointer.exe
3780	gPointer.exe
3580	gPointer.exe
1188	gPointer.exe
3840	gPointer.exe
4412	gPointer.exe
4548	gPointer.exe
1684	gPointer.exe
2496	gPointer.exe
4320	gPointer.exe
3544	gPointer.exe
4400	gPointer.exe
696	gPointer.exe
4748	gPointer.exe
4060	gPointer.exe
5004	gPointer.exe
3888	gPointer.exe
4780	gPointer.exe
2088	gPointer.exe
4360	gPointer.exe
1436	gPointer.exe
4076	gPointer.exe
4848	gPointer.exe
3396	gPointer.exe
1036	gPointer.exe
4788	gPointer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 4524	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	92
PID 1504 wrote to memory of 4524	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	92
PID 1504 wrote to memory of 4524	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	92
PID 1504 wrote to memory of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93
PID 1504 wrote to memory of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93
PID 1504 wrote to memory of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93
PID 1504 wrote to memory of 464	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	94
PID 1504 wrote to memory of 464	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	94
PID 1504 wrote to memory of 464	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	94
PID 1504 wrote to memory of 5116	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	95
PID 1504 wrote to memory of 5116	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	95
PID 1504 wrote to memory of 5116	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	95
PID 1504 wrote to memory of 3132	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	96
PID 1504 wrote to memory of 3132	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	96
PID 1504 wrote to memory of 3132	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	96
PID 1504 wrote to memory of 4780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	97
PID 1504 wrote to memory of 4780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	97
PID 1504 wrote to memory of 4780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	97
PID 1504 wrote to memory of 2088	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	98
PID 1504 wrote to memory of 2088	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	98
PID 1504 wrote to memory of 2088	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	98
PID 1504 wrote to memory of 3684	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	99
PID 1504 wrote to memory of 3684	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	99
PID 1504 wrote to memory of 3684	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	99
PID 1504 wrote to memory of 1436	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	100
PID 1504 wrote to memory of 1436	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	100
PID 1504 wrote to memory of 1436	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	100
PID 1504 wrote to memory of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93
PID 1504 wrote to memory of 4232	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	101
PID 1504 wrote to memory of 4232	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	101
PID 1504 wrote to memory of 4232	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	101
PID 1504 wrote to memory of 1096	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	102
PID 1504 wrote to memory of 1096	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	102
PID 1504 wrote to memory of 1096	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	102
PID 1504 wrote to memory of 2724	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	103
PID 1504 wrote to memory of 2724	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	103
PID 1504 wrote to memory of 2724	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	103
PID 1504 wrote to memory of 1036	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	104
PID 1504 wrote to memory of 1036	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	104
PID 1504 wrote to memory of 1036	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	104
PID 1504 wrote to memory of 4836	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	107
PID 1504 wrote to memory of 4836	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	107
PID 1504 wrote to memory of 4836	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	107
PID 1504 wrote to memory of 2568	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	108
PID 1504 wrote to memory of 2568	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	108
PID 1504 wrote to memory of 2568	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	108
PID 1504 wrote to memory of 3820	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	109
PID 1504 wrote to memory of 3820	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	109
PID 1504 wrote to memory of 3820	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	109
PID 1504 wrote to memory of 4028	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	93
PID 1504 wrote to memory of 4776	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	110
PID 1504 wrote to memory of 4776	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	110
PID 1504 wrote to memory of 4776	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	110
PID 1504 wrote to memory of 3780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	111
PID 1504 wrote to memory of 3780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	111
PID 1504 wrote to memory of 3780	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	111
PID 1504 wrote to memory of 3580	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	112
PID 1504 wrote to memory of 3580	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	112
PID 1504 wrote to memory of 3580	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	112
PID 1504 wrote to memory of 1188	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	113
PID 1504 wrote to memory of 1188	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	113
PID 1504 wrote to memory of 1188	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	113
PID 1504 wrote to memory of 3840	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	114
PID 1504 wrote to memory of 3840	1504	ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"
  2⤵
  PID:4028
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:464
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3820
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:696
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3888
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

Filesize
10B

MD5
adf2c1bb505278eca5f37c54eb875a86

SHA1
93766553db50abe858539e267ad79561f10fa782

SHA256
555d4bfd115e090bb7128ffd5c497302676ca03f162d58a7552ea8c1c3ce3bb6

SHA512
3546916aa001805ce8ddef044147dd1412266e67aa99e04f179152963600e19ff57a982da0ba20cfe9affda66391167fe639d0fc820d4b58bcfdb48fe251e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

Filesize
10B

MD5
16f9adfb5431d1853c8a8498028435d1

SHA1
8c4cab3e4ebe4ffd03ac957da93a10e4de5b0b26

SHA256
058433a3267b3cad54afb485085eabdf967847cfa70090b927c3ee6d8fa47d94

SHA512
9ef910289f8c1455590d019eff231ce4bf99fc34cf46c416e05b1e09301f56bb3fd7a31a49322200b86d10fdb65f90075810f24450152b97de7b83facc60e48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

Filesize
10B

MD5
c392730474dda843e8555ef63c021814

SHA1
4e95fb68a6e581964d59c09b993dce4ea256c248

SHA256
d747bc0221d448a9fe3d4aaeabbad652dc9a25cfd3ae86fc1688586a8f71e1a9

SHA512
e079913155c7b0652940ac35c5316ae92b8fb00a1068918e7c9092a412d52807bc62b19cf4731163eb2e4164d078f9637684605dda4ad19a9ad46400422bfd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

Filesize
10B

MD5
7b19533e9e75f19e621768bcba41f89b

SHA1
50729edfac5701026272bb22640a8bba055757f5

SHA256
8d0a6d073e744b9ba307318b5b7f9cc8e2f1c74d79972a6ea1fea52943420675

SHA512
c8e76d45ef63ed982a69fdeef3fe14c5157b62ad171bb6b721f73277af03f92cdff76336636565dc4a372e622191f44e8d168798deaaddba2abf510a060f7787

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPointer.exe

Filesize
20KB

MD5
e527bfc4146d390d4c83f44f5b92d628

SHA1
01238dd13d9d794ad8293cee82dcff85b6a832e8

SHA256
0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f

SHA512
75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

Download Submit
memory/4028-188-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4028-193-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4028-194-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4028-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download