Malware Analysis Report

2024-08-06 13:27

Sample ID 240614-1htl1axara
Target ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118
SHA256 d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629

Threat Level: Known bad

The file ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 21:39

Reported

2024-06-14 21:42

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2072 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 2072 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 2072 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 2072 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 2072 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 2072 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 2072 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 888security.ru udp
US 8.8.8.8:53 888security.ru udp

Files

\Users\Admin\AppData\Local\Temp\gPointer.exe

MD5 e527bfc4146d390d4c83f44f5b92d628
SHA1 01238dd13d9d794ad8293cee82dcff85b6a832e8
SHA256 0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f
SHA512 75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

MD5 33328fe0d452de1fcace924f428dc1a2
SHA1 18ba5cc6adcf53f5682da8f9d9648d7cb02d7bc8
SHA256 5b6c14f97f4f6ab7678b9589ce30cd8b60f3d366eafd1f24f617085d30e89e0f
SHA512 b697e1898f59e8914129b2f57f5cd0666716fdce80445b354a3fd626f8389ddb1abd3157d9b436e62f9b30a7130adb30fb92708ec1d9e2afae1904772d565371

C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

MD5 fed345c574053e01772a93d6d0db6e6c
SHA1 3cccecb036da26a0773a02c8d5aa293635e52047
SHA256 c831d2f753a85cf3f365607dafd253996456b3a9bca605b8e2ca1b1910b68039
SHA512 4b062e5c2b098678f3aecafa60c48df0f0f806dc342c2df096df76767437e3f29cd700f147c29759ee159372cad384b635c6c937c49d19f3e969ebfa44fc33c5

C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

MD5 2891518ec42935899e763f07ae89fb79
SHA1 72b9b72b3c2c9a256d81a69d60d56064875059ad
SHA256 8fa72887aa2625367b3bcde8bc2fe73adfbecd39f4ce8b936f1d7fb3469f63c3
SHA512 f6a41fd7855e99b672af16aebceba316790d3aa7e407b6d1e11d68adcb8aefe664e70bd2370d72c66dcb292e81eb9fd3ec775d0a7dc259aad1c09cd7fd5f2464

C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

MD5 881609b31a187d1babbf4df645fda08f
SHA1 1b5fe961a3eb2de8d41d884fbc34d665f3a232a9
SHA256 1b713c59ea696158cda790542dafe750fce9ae710ad759ff429213f01bb20eb8
SHA512 8a38a724dfe92ea6a983dfb16cb9711fbd85a68bebd737434c3b6783d9b3f4d483ed5b00f452d59bfaf21656651ee8697ffd062584bf6e2c5a097b1a9ad6db81

memory/2108-317-0x00000000771D0000-0x00000000772CA000-memory.dmp

memory/2108-316-0x00000000772D0000-0x00000000773EF000-memory.dmp

memory/2604-346-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2604-355-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2604-356-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2604-357-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 21:39

Reported

2024-06-14 21:42

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gPointer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 1504 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 1504 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 1504 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 1504 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe
PID 1504 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe
PID 1504 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\gPointer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 888security.ru udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 888security.ru udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\gPointer.exe

MD5 e527bfc4146d390d4c83f44f5b92d628
SHA1 01238dd13d9d794ad8293cee82dcff85b6a832e8
SHA256 0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f
SHA512 75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

MD5 adf2c1bb505278eca5f37c54eb875a86
SHA1 93766553db50abe858539e267ad79561f10fa782
SHA256 555d4bfd115e090bb7128ffd5c497302676ca03f162d58a7552ea8c1c3ce3bb6
SHA512 3546916aa001805ce8ddef044147dd1412266e67aa99e04f179152963600e19ff57a982da0ba20cfe9affda66391167fe639d0fc820d4b58bcfdb48fe251e721

C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

MD5 16f9adfb5431d1853c8a8498028435d1
SHA1 8c4cab3e4ebe4ffd03ac957da93a10e4de5b0b26
SHA256 058433a3267b3cad54afb485085eabdf967847cfa70090b927c3ee6d8fa47d94
SHA512 9ef910289f8c1455590d019eff231ce4bf99fc34cf46c416e05b1e09301f56bb3fd7a31a49322200b86d10fdb65f90075810f24450152b97de7b83facc60e48f

C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

MD5 c392730474dda843e8555ef63c021814
SHA1 4e95fb68a6e581964d59c09b993dce4ea256c248
SHA256 d747bc0221d448a9fe3d4aaeabbad652dc9a25cfd3ae86fc1688586a8f71e1a9
SHA512 e079913155c7b0652940ac35c5316ae92b8fb00a1068918e7c9092a412d52807bc62b19cf4731163eb2e4164d078f9637684605dda4ad19a9ad46400422bfd3f

C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

MD5 7b19533e9e75f19e621768bcba41f89b
SHA1 50729edfac5701026272bb22640a8bba055757f5
SHA256 8d0a6d073e744b9ba307318b5b7f9cc8e2f1c74d79972a6ea1fea52943420675
SHA512 c8e76d45ef63ed982a69fdeef3fe14c5157b62ad171bb6b721f73277af03f92cdff76336636565dc4a372e622191f44e8d168798deaaddba2abf510a060f7787

memory/4028-188-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4028-193-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4028-194-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4028-195-0x0000000000400000-0x0000000000420000-memory.dmp