azorult | d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab95b07eeb30a98ec33aa2cb0c8d7929.exe
Size

684KB
MD5

ab95b07eeb30a98ec33aa2cb0c8d7929
SHA1

6d8871a497703d5f7c5437c22d7cd73231460d44
SHA256

d7d7ee33a95fb43312bf1ebe4e7a106ddfb5ef80097137cc2c87a014acc7e629
SHA512

0a19d5f3f16ab4e675e7370d300902f8a947c1cdb1b64d85e5493d3664a0ade1e965fbb92d9397f75413968a5c288a7f9644b4adcdabe4df798b7faf0e3fbb3d
SSDEEP

12288:3hoqeAQCtaNBoQLsivV4aURL3LtRFOQBfVb08aOso295bl7k4FWVluBUZSaHyOCu:qPCk1BFe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://888security.ru/c0visteal/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 41 IoCs

pid	Process
3952	gPointer.exe
2688	gPointer.exe
1852	gPointer.exe
936	gPointer.exe
4544	gPointer.exe
2204	gPointer.exe
2564	gPointer.exe
4656	gPointer.exe
2188	gPointer.exe
1864	gPointer.exe
4884	gPointer.exe
2764	gPointer.exe
3280	gPointer.exe
2096	gPointer.exe
2172	gPointer.exe
1920	gPointer.exe
3580	gPointer.exe
3216	gPointer.exe
4044	gPointer.exe
924	gPointer.exe
1824	gPointer.exe
4980	gPointer.exe
1288	gPointer.exe
1084	gPointer.exe
2244	gPointer.exe
456	gPointer.exe
1380	gPointer.exe
4408	gPointer.exe
1188	gPointer.exe
4964	gPointer.exe
1600	gPointer.exe
4704	gPointer.exe
3480	gPointer.exe
3440	gPointer.exe
3576	gPointer.exe
1720	gPointer.exe
3968	gPointer.exe
3552	gPointer.exe
844	gPointer.exe
4948	gPointer.exe
4152	gPointer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe
3952	gPointer.exe
2688	gPointer.exe
1852	gPointer.exe
936	gPointer.exe
4544	gPointer.exe
2204	gPointer.exe
2564	gPointer.exe
4656	gPointer.exe
2188	gPointer.exe
1864	gPointer.exe
4884	gPointer.exe
2764	gPointer.exe
3280	gPointer.exe
2096	gPointer.exe
2172	gPointer.exe
1920	gPointer.exe
3580	gPointer.exe
3216	gPointer.exe
4044	gPointer.exe
924	gPointer.exe
1824	gPointer.exe
4980	gPointer.exe
1288	gPointer.exe
1084	gPointer.exe
2244	gPointer.exe
456	gPointer.exe
1380	gPointer.exe
4408	gPointer.exe
1188	gPointer.exe
4964	gPointer.exe
1600	gPointer.exe
4704	gPointer.exe
3480	gPointer.exe
3440	gPointer.exe
3576	gPointer.exe
1720	gPointer.exe
3968	gPointer.exe
3552	gPointer.exe
844	gPointer.exe
4948	gPointer.exe
4152	gPointer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3952	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	85
PID 2176 wrote to memory of 3952	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	85
PID 2176 wrote to memory of 3952	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	85
PID 2176 wrote to memory of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86
PID 2176 wrote to memory of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86
PID 2176 wrote to memory of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86
PID 2176 wrote to memory of 2688	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	87
PID 2176 wrote to memory of 2688	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	87
PID 2176 wrote to memory of 2688	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	87
PID 2176 wrote to memory of 1852	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	88
PID 2176 wrote to memory of 1852	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	88
PID 2176 wrote to memory of 1852	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	88
PID 2176 wrote to memory of 936	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	89
PID 2176 wrote to memory of 936	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	89
PID 2176 wrote to memory of 936	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	89
PID 2176 wrote to memory of 4544	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	90
PID 2176 wrote to memory of 4544	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	90
PID 2176 wrote to memory of 4544	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	90
PID 2176 wrote to memory of 2204	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	91
PID 2176 wrote to memory of 2204	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	91
PID 2176 wrote to memory of 2204	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	91
PID 2176 wrote to memory of 2564	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	92
PID 2176 wrote to memory of 2564	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	92
PID 2176 wrote to memory of 2564	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	92
PID 2176 wrote to memory of 4656	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	93
PID 2176 wrote to memory of 4656	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	93
PID 2176 wrote to memory of 4656	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	93
PID 2176 wrote to memory of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86
PID 2176 wrote to memory of 2188	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	94
PID 2176 wrote to memory of 2188	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	94
PID 2176 wrote to memory of 2188	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	94
PID 2176 wrote to memory of 1864	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	95
PID 2176 wrote to memory of 1864	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	95
PID 2176 wrote to memory of 1864	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	95
PID 2176 wrote to memory of 4884	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	96
PID 2176 wrote to memory of 4884	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	96
PID 2176 wrote to memory of 4884	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	96
PID 2176 wrote to memory of 2764	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	97
PID 2176 wrote to memory of 2764	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	97
PID 2176 wrote to memory of 2764	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	97
PID 2176 wrote to memory of 3280	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	98
PID 2176 wrote to memory of 3280	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	98
PID 2176 wrote to memory of 3280	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	98
PID 2176 wrote to memory of 2096	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	99
PID 2176 wrote to memory of 2096	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	99
PID 2176 wrote to memory of 2096	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	99
PID 2176 wrote to memory of 2172	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	100
PID 2176 wrote to memory of 2172	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	100
PID 2176 wrote to memory of 2172	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	100
PID 2176 wrote to memory of 5012	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	86
PID 2176 wrote to memory of 1920	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	101
PID 2176 wrote to memory of 1920	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	101
PID 2176 wrote to memory of 1920	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	101
PID 2176 wrote to memory of 3580	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	102
PID 2176 wrote to memory of 3580	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	102
PID 2176 wrote to memory of 3580	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	102
PID 2176 wrote to memory of 3216	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	103
PID 2176 wrote to memory of 3216	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	103
PID 2176 wrote to memory of 3216	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	103
PID 2176 wrote to memory of 4044	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	104
PID 2176 wrote to memory of 4044	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	104
PID 2176 wrote to memory of 4044	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	104
PID 2176 wrote to memory of 924	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	105
PID 2176 wrote to memory of 924	2176	ab95b07eeb30a98ec33aa2cb0c8d7929.exe	105

C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe
"C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:CreateProcessW
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe
  "C:\Users\Admin\AppData\Local\Temp\ab95b07eeb30a98ec33aa2cb0c8d7929.exe"
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtUnmapViewOfSection
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:936
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:VirtualAllocEx
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:924
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:456
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:GetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe NTDLL:NtWriteVirtualMemory
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:SetThreadContext
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\gPointer.exe
  C:\Users\Admin\AppData\Local\Temp\gPointer.exe KERNEL32:ResumeThread
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreateProcessW

Filesize
10B

MD5
635571f6c69a0ef1f8b6178bf44313de

SHA1
4b1e51cd117e7f472598bf8e829382614d22282b

SHA256
85e052601722d3efe177c473972c8981dc6301fa4dead9da7ecfe0943e1849f0

SHA512
36a18903f507f274a82beed740e0c86cfee3dc403a2fb02ee07d063f31ad01352cf32f6e99baf613d319900c16a48d4fd572f998a674f3e673d7bca2d9b1b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtUnmapViewOfSection

Filesize
10B

MD5
173cc4a3e7f1d68feca73197709337c7

SHA1
cfdc8e81dd8f445fab6060b9821e4c0c3a4034b2

SHA256
98923047d73f72c81b85730033877468f483c3915ddfb5114c5abefa7079103f

SHA512
a6d34458b8ce136e224dd67700d7356392ef787f5dc0a4c0c6d2d929c27520f535ef363c1d973a3db5183bec9d9f90872c231534a1537b074789c0d7c196395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtWriteVirtualMemory

Filesize
10B

MD5
fd88ec4f0384a50cc78589eb2285f92d

SHA1
cd208c3ee7c48923b54cfa1f9da9ba632a917251

SHA256
2666f422416ebd4e857ce7cb3acd21c7e902a410018619a0b5e64e295a3fbc56

SHA512
efd78ee93ecb010ec4e29559441aed69da6a5b24256da41cb8e1690f0061da2295b49535f3b8e9182271aeab58ce60d0bf0333987cc9e87e8cc2843c29f6ed89

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirtualAllocEx

Filesize
10B

MD5
401884e935c8f2a5551e279a5b7c3432

SHA1
fb6c99667196d9dd1d417f3bde849f87eeadeaca

SHA256
388e3e39901a976ca4bd39139f6f0943bd4ed00a858b35653acda26eaca09706

SHA512
5d5369802bfe7449f2a0c063d5afaaa0bee0397f674a2092fa84f451bf6824d853b48659facd8fd0dde4c0aace8efc51841d23626e65014f685231911995d9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPointer.exe

Filesize
20KB

MD5
e527bfc4146d390d4c83f44f5b92d628

SHA1
01238dd13d9d794ad8293cee82dcff85b6a832e8

SHA256
0ed922eaf201e55093c5150d028424d63847117adbfe6d786f453ddd9169846f

SHA512
75fe52afa1b8304f856844ad7d303e5413fc0ce8d61609bb61add1f666b3524412a53a3ffaf46fdaa0a4951a5efae80837202b3bdd0300cbace2707cd8a423e8

Download Submit
memory/5012-188-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-193-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-194-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-196-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5012-197-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download