azorult | d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab95b07eeb30a98ec33aa2cb0c8d7929.exe
Size

684KB
MD5

ab95b07eeb30a98ec33aa2cb0c8d7929
SHA1

6d8871a497703d5f7c5437c22d7cd73231460d44
SHA256

d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
SHA512

0a19d5f3f16ab4e675e7370d300902f8a947c1cdb1b64d85e5493d3664a0ade1e965fbb92d9397f75413968a5c288a7f9644b4adcdabe4df798b7faf0e3fbb3d
SSDEEP

12288:3hoqeAQCtaNBoQLsivV4aURL3LtRFOQBfVb08aOso295bl7k4FWVluBUZSaHyOCu:qPCk1BFe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://888security.ru/c0visteal/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 41 IoCs

pid	Process
2980	gPointer.exe
2608	gPointer.exe
2612	gPointer.exe
2652	gPointer.exe
1632	gPointer.exe
2472	gPointer.exe
2944	gPointer.exe
1440	gPointer.exe
2696	gPointer.exe
2772	gPointer.exe
748	gPointer.exe
1572	gPointer.exe
1492	gPointer.exe
1340	gPointer.exe
524	gPointer.exe
2044	gPointer.exe
2984	gPointer.exe
2792	gPointer.exe
2244	gPointer.exe
2884	gPointer.exe
2084	gPointer.exe
1732	gPointer.exe
2848	gPointer.exe
1528	gPointer.exe
2344	gPointer.exe
1460	gPointer.exe
3028	gPointer.exe
2096	gPointer.exe
112	gPointer.exe
1664	gPointer.exe
940	gPointer.exe
2912	gPointer.exe
1840	gPointer.exe
3012	gPointer.exe
2856	gPointer.exe
2356	gPointer.exe
1612	gPointer.exe
1484	gPointer.exe
3036	gPointer.exe
2704	gPointer.exe
2692	gPointer.exe

Loads dropped DLL 64 IoCs

pid	Process
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
2980	gPointer.exe
2608	gPointer.exe
2612	gPointer.exe
2652	gPointer.exe
1632	gPointer.exe
2472	gPointer.exe
2944	gPointer.exe
1440	gPointer.exe
2696	gPointer.exe
2772	gPointer.exe
748	gPointer.exe
1572	gPointer.exe
1492	gPointer.exe
1340	gPointer.exe
524	gPointer.exe
2044	gPointer.exe
2984	gPointer.exe
2792	gPointer.exe
2244	gPointer.exe
2884	gPointer.exe
2084	gPointer.exe
1732	gPointer.exe
2848	gPointer.exe
1528	gPointer.exe
2344	gPointer.exe
1460	gPointer.exe
3028	gPointer.exe
2096	gPointer.exe
112	gPointer.exe
1664	gPointer.exe
940	gPointer.exe
2912	gPointer.exe
1840	gPointer.exe
3012	gPointer.exe
2856	gPointer.exe
2356	gPointer.exe
1612	gPointer.exe
1484	gPointer.exe
3036	gPointer.exe
2704	gPointer.exe
2692	gPointer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2980	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	28
PID 1608 wrote to memory of 2980	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	28
PID 1608 wrote to memory of 2980	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	28
PID 1608 wrote to memory of 2980	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	28
PID 1608 wrote to memory of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29
PID 1608 wrote to memory of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29
PID 1608 wrote to memory of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29
PID 1608 wrote to memory of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29
PID 1608 wrote to memory of 2608	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	30
PID 1608 wrote to memory of 2608	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	30
PID 1608 wrote to memory of 2608	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	30
PID 1608 wrote to memory of 2608	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	30
PID 1608 wrote to memory of 2612	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	31
PID 1608 wrote to memory of 2612	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	31
PID 1608 wrote to memory of 2612	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	31
PID 1608 wrote to memory of 2612	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	31
PID 1608 wrote to memory of 2652	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	32
PID 1608 wrote to memory of 2652	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	32
PID 1608 wrote to memory of 2652	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	32
PID 1608 wrote to memory of 2652	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	32
PID 1608 wrote to memory of 1632	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	33
PID 1608 wrote to memory of 1632	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	33
PID 1608 wrote to memory of 1632	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	33
PID 1608 wrote to memory of 1632	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	33
PID 1608 wrote to memory of 2472	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	34
PID 1608 wrote to memory of 2472	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	34
PID 1608 wrote to memory of 2472	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	34
PID 1608 wrote to memory of 2472	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	34
PID 1608 wrote to memory of 2944	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	35
PID 1608 wrote to memory of 2944	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	35
PID 1608 wrote to memory of 2944	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	35
PID 1608 wrote to memory of 2944	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	35
PID 1608 wrote to memory of 1440	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	36
PID 1608 wrote to memory of 1440	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	36
PID 1608 wrote to memory of 1440	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	36
PID 1608 wrote to memory of 1440	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	36
PID 1608 wrote to memory of 2588	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	29
PID 1608 wrote to memory of 2696	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	37
PID 1608 wrote to memory of 2696	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	37
PID 1608 wrote to memory of 2696	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	37
PID 1608 wrote to memory of 2696	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	37
PID 1608 wrote to memory of 2772	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	38
PID 1608 wrote to memory of 2772	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	38
PID 1608 wrote to memory of 2772	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	38
PID 1608 wrote to memory of 2772	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	38
PID 1608 wrote to memory of 748	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	39
PID 1608 wrote to memory of 748	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	39
PID 1608 wrote to memory of 748	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	39
PID 1608 wrote to memory of 748	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	39
PID 1608 wrote to memory of 1572	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	40
PID 1608 wrote to memory of 1572	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	40
PID 1608 wrote to memory of 1572	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	40
PID 1608 wrote to memory of 1572	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	40
PID 1608 wrote to memory of 1492	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	41
PID 1608 wrote to memory of 1492	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	41
PID 1608 wrote to memory of 1492	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	41
PID 1608 wrote to memory of 1492	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	41
PID 1608 wrote to memory of 1340	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	42
PID 1608 wrote to memory of 1340	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	42
PID 1608 wrote to memory of 1340	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	42
PID 1608 wrote to memory of 1340	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	42
PID 1608 wrote to memory of 524	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	43
PID 1608 wrote to memory of 524	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	43
PID 1608 wrote to memory of 524	1608	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	43

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe
"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe
  "C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe"
  2⤵
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:748
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:524
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:112
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

Filesize
10B

MD5
b798ea601db51b42f305952d9110b519

SHA1
5b613ee7bc06ee513c2cedaaa0f72fd4c660c4a9

SHA256
911fb7514c2b8fad9decf80072f4e73f93372c86ffa24d08b756d8000843d1bb

SHA512
2a548d935531b2e4355064aa5283eeac3f72f3835d8804c0b99cf597a766d46b4e7646c534e9598b43a1a4e2ba908c06d8ec757dbf7c3fc19711674fe4ace370

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

Filesize
10B

MD5
4058813fd91ff52e9836842b49783315

SHA1
9cb956c5a54d3b2000b150fa172a676d70db18da

SHA256
7619e6f7f711cc7783f7284d044d14b8c6fa8cde856cd02d08fde61f1b32093e

SHA512
3bc7cbc0b5b0282d1c11635db08c4c0efa5b7ae52f9a33662da5b212ee178e6fb76ac747d9c9ae49c6b6494dc367fa73bd9f2a90bac766f23677b938ba3cd467

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

Filesize
10B

MD5
6cb28b918e07a9ea341ffd16de2291ad

SHA1
e8e56ac461d22c6ea225e1c1d52ef58147733280

SHA256
a5c9283d23f592c364eebd54aa7b5bbdeb87b44de563c47e38cd664830c35683

SHA512
5ffdada94238351726101fdcc28083df3ed894ea16711d5cef9a503a27fcae629be2eeab3f8be6d590f2084fc3fc8cb3a4d467f91824a677497ca4a9d962906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

Filesize
10B

MD5
1ecac93c8c605a122996ff9bb497b799

SHA1
f1e5a31b76fa6ee8aa5867e040b3d810855fa66f

SHA256
a8405420da93a958bb727ccf352ad0e9a0576c5751c01b57e9644dbd15d3da04

SHA512
c13c6d647fcc4d01bc90a3cfee7377089a61a3ed794d596c034f2fbd195f5e76f7831396d374e1c000d5b020cb66779ee0c7039b22e1742e1a06a394d8c03471

Download Submit
\Users\Admin\AppData\Local\Temp\gPointer.exe

Filesize
20KB

MD5
e527bfc4146d390d4c83f44f5b92d628

SHA1
01238dd13d9d794ad8293cee82dcff85b6a832e8

SHA256
0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f

SHA512
75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

Download Submit
memory/2588-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2588-357-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2588-356-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2588-358-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2588-359-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2588-360-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download