raccoon | ca4c8f542127562abb8035bd912a61e82d888fc957677f6c7e99f0d3ca32b9da

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe
Size

885KB
MD5

3b27806de4152ee59c982d9d67d7f470
SHA1

db0835a7487d0a66d38409df711fc5bbee6e9720
SHA256

ca4c8f542127562abb8035bd912a61e82d888fc957677f6c7e99f0d3ca32b9da
SHA512

38d7c079c6147a4ac220a3ac069e26fb7cc0f2ce2c7a09c9ba6a817b681374eb5717746cd6ad565eef49031de9e07941dd9a55b62f843eb17acfc7c421265155
SSDEEP

12288:pANwRo+mv8QD4+0V16jUba1dUHXTDBptaxyNgW1IBG7co5yLyWm7vtwrsKSO2OaS:pAT8QE+kKJQHj3uxBPuWQxOGnhmb

Score

10^/10

raccoon discovery persistence stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/4080-75-0x00000000009D0000-0x0000000000A60000-memory.dmp	family_raccoon_v1
behavioral2/memory/4080-78-0x0000000000400000-0x00000000009CD000-memory.dmp	family_raccoon_v1
behavioral2/memory/4080-127-0x0000000000400000-0x00000000009CD000-memory.dmp	family_raccoon_v1
behavioral2/memory/4080-138-0x00000000009D0000-0x0000000000A60000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4080	wotsuper.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wotsuper	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	iplogger.org
16	iplogger.org
17	iplogger.org

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wotsuper.reg	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
228	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
3716	msedge.exe
3716	msedge.exe
2748	msedge.exe
2748	msedge.exe
3064	identity_helper.exe
3064	identity_helper.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe
3716	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3716	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	87
PID 2260 wrote to memory of 3716	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	87
PID 3716 wrote to memory of 4772	3716	msedge.exe	88
PID 3716 wrote to memory of 4772	3716	msedge.exe	88
PID 2260 wrote to memory of 4080	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	89
PID 2260 wrote to memory of 4080	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	89
PID 2260 wrote to memory of 4080	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	89
PID 2260 wrote to memory of 228	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	90
PID 2260 wrote to memory of 228	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	90
PID 2260 wrote to memory of 228	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	90
PID 2260 wrote to memory of 4156	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	91
PID 2260 wrote to memory of 4156	2260	3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe	91
PID 4156 wrote to memory of 3152	4156	msedge.exe	92
PID 4156 wrote to memory of 3152	4156	msedge.exe	92
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 4672	3716	msedge.exe	94
PID 3716 wrote to memory of 1464	3716	msedge.exe	95
PID 3716 wrote to memory of 1464	3716	msedge.exe	95
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96
PID 3716 wrote to memory of 3056	3716	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b27806de4152ee59c982d9d67d7f470_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1eVfw7.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffff31e46f8,0x7ffff31e4708,0x7ffff31e4718
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
    3⤵
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:3100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11715372785192745759,5248452459242956296,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5236 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1lTHd.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff31e46f8,0x7ffff31e4708,0x7ffff31e4718
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,9324913541382487200,5889130701233594363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

Filesize
490KB

MD5
14e3a4fb7e7f51c099e72372e2bf5d82

SHA1
11b4c01ae3ab9dc000fd1534846660983f6dc527

SHA256
ca2638676aaa3aff95d83564ae8012a6e3d5eabf2d710cef3eb372af1bbda4db

SHA512
dec12490f346dae89e0b499ea1a8927e0c7e294638a5257276726c44c093e2bf547831259b9d60ed13b0430ee7d03dbe97a1898b5814cc2dd863b63da2004f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25b9113a440cc7fcc78964e6a2a710ad

SHA1
f31e0c859335a2310137d12ee1d945849d31abc0

SHA256
89d0a1f4660dd2feb1210bed57712f4271d50851ba9895a8b66939bc512b66d1

SHA512
cdbded916b96a30d62d7fcfb3b47be8ff8aa2ffcda89287705a7ef58f8ff0a6bb9159d01d49f748cdb4ad942cc616b19f86a5b9d799b2618b90362efec40b85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82e6422a4ff1468321cafe8149bd61e8

SHA1
a62375f28ca86032e63f043133f6825ebfa8f2ef

SHA256
fa333fdb1b8b12281dfef43ec5440190a3237d0b1a4b01928da99fbfed79216b

SHA512
77b0654911e3d713de8ae73dfc4943b225e662a374331c54ce315670ab8910906f4d847e4ee8b5de743f17037322da2b69d8bd155be849c536038b90a778dcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5bd758b162b13c81b6d17fcf79bf0190

SHA1
7e64ced2d4eb732182ddef84dc5e4372baad9491

SHA256
b8927efc487d0c572aee9aebbd7ac4d0a90c3b51727f876c311012606290a229

SHA512
d39351d6711bba2f0bc383f23a8804f452c0194a2111a5f105af171ee9f20b9689b333c0fdb1c32de9f9bb74a6084f13cbd25e12f143db736e8f6ef30e31dce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
566404a729914664b960b71eb9161121

SHA1
950154347d364d6ba31014a58541e9d04045c801

SHA256
a3b4338c58e32f63793574a425746b03a9df0ad71887a065d7fcde52554e81c8

SHA512
11794a9ddaa787f34fe8a37ff6b70e2d41fc0abc99728a2a7e20bf4b01409c92b4f4872e66ad58c30a115685cadc7e3911a70b7a2d1fbed378896ee2df10d1ee

Download Submit
C:\Windows\wotsuper.reg

Filesize
450B

MD5
42f073434559fb6b9c67aba86de89d1b

SHA1
9b969de41fc717353619068e46f21ec1db093ab5

SHA256
03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed

SHA512
b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

Download Submit
memory/2260-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-78-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download
memory/4080-127-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download
memory/4080-75-0x00000000009D0000-0x0000000000A60000-memory.dmp

Filesize
576KB

Download
memory/4080-74-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/4080-137-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/4080-138-0x00000000009D0000-0x0000000000A60000-memory.dmp

Filesize
576KB

Download