Malware Analysis Report

2024-10-19 06:58

Sample ID 240826-p3hvfsvapf
Target c3087b45ca582d54e9191f33b5409506_JaffaCakes118
SHA256 7b4ed3c690a9d466ddb729d4c806af8d8dffecf85410e31ef845bea4eefd6d17
Tags
azorult vidar 543 credential_access discovery infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b4ed3c690a9d466ddb729d4c806af8d8dffecf85410e31ef845bea4eefd6d17

Threat Level: Known bad

The file c3087b45ca582d54e9191f33b5409506_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult vidar 543 credential_access discovery infostealer persistence spyware stealer trojan

Vidar

Azorult

Vidar Stealer

Credentials from Password Stores: Credentials from Web Browsers

Executes dropped EXE

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 12:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 12:51

Reported

2024-08-26 12:53

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wotsuper C:\Windows\SysWOW64\regedit.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wotsuper.reg C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3624 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3624 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3624 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3624 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3624 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3624 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3624 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3624 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3624 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3624 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3624 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3624 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1iB8r7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3836,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3856,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:1

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5384,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5396,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/10f7w3.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5876,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6196,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6152,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.140.42:443 bzib.nelreports.net tcp
US 8.8.8.8:53 iplogger.org udp
SG 23.106.124.148:80 tcp
US 8.8.8.8:53 42.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 termscenter.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 92.123.142.88:443 www.bing.com udp
US 8.8.8.8:53 88.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
SG 23.106.124.148:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
GB 92.123.142.89:443 www.bing.com tcp
US 8.8.8.8:53 89.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 termscenter.com udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5 942a79c84567438282ac82f675aaf803
SHA1 7f4cb80d3f36f09c7e598635802afaa9757d76ad
SHA256 7b02890381fb2641217760706225493b12e3cdaa759be01bcb74b9dfa7dffdec
SHA512 c8f12ffe6f78c2a0f823f8b5658b6f907a72882aeff5368c733cd524e3c765e7c91931b8778c3485858577770957e2d5c5b529f87463e94fc2d534be3f22e06c

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5 b8c7f57132531317f87259fae9e1ac73
SHA1 9a116a2e5d40d3ba2384885576ecc830d57f7dfc
SHA256 461490a3713db75a6474efd8e8f188bdcb8fc46a78372e62eabc89b64d76fbc2
SHA512 e7f42d9de87e0f24f1016d597e95c9a4a0441f73e6419501a82ab8aac942b50b28c820b2c82f2102e8a65e00624d0082fd03fa301ccb547f0288a78cd4001a9e

memory/3732-38-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3624-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3732-41-0x0000000002310000-0x00000000023FC000-memory.dmp

memory/3732-42-0x0000000000900000-0x0000000000920000-memory.dmp

memory/2240-58-0x0000000000400000-0x0000000000499000-memory.dmp

memory/3732-59-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Windows\wotsuper.reg

MD5 42f073434559fb6b9c67aba86de89d1b
SHA1 9b969de41fc717353619068e46f21ec1db093ab5
SHA256 03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512 b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 12:51

Reported

2024-08-26 12:53

Platform

win7-20240704-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wotsuper C:\Windows\SysWOW64\regedit.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wotsuper.reg C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF9A31B1-63A9-11EF-BB68-FA57F1690589} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430838557" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFD352B1-63A9-11EF-BB68-FA57F1690589} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000c03a3cc0a3fb9137838d8d4b6b3cdf7e53789d34cdabd92f9e9d73bb8828d8a4000000000e8000000002000020000000971c8b6138b1fb255ebb16b36cf5a92dc7f8d8e213080b153a5b36cf834a5d8820000000128eb67fec7dc6812ac9f97a5acdc42d70fdc8f00d56ccf508bfc6f0fc3b7569400000002796ee76f226beb6f135a1c7fb001855e916ec140a6922df3914bcf3d51db029313f407f7d3e769a4d0a81a676944569f0476b1ecb23a4ae34c550a5f68f9b7e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000001a921e4cf7b5f6739bc71734debeff6283de5695bdd26630abc14e087a83857b000000000e80000000020000200000009409335997a0e5e104d5e4d963849987149e83234aa70a27efa16cf9af3ed7d790000000d839b6e34b0880f761acd79ccdce862dd4f0633fce10b64f6dc32e0b6203cbc1bf8c5bb8b24ec9a66c517d8dfd82cb6ba17623186f32b0503f2b01f3f57ac717d2ac0c40e321623cecfee724bdad7b1cb0769f147e8370898a503257e125547ea34bd0040324473f8277af40a8d3d4706991c0d6a3247a8d883cb44c0f63157fd3eff1dea6bf2bd98b423d22bb8302a9400000000372de4ebc90814419c9f9f8e0806faa2949d3cbb27a709fa4942a5937e7657601136cbb2d16206c19eb160bc60ac70889485d73a0397712d1c1f8cdf2885b96 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fdfbb5b6f7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2552 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2552 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2552 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2552 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2552 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2552 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2552 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2552 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2552 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2552 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2552 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2552 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2992 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2992 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2992 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2992 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 1736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 1736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 1736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 1736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3087b45ca582d54e9191f33b5409506_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1iB8r7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/10f7w3.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275458 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 termscenter.com udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
FR 216.58.214.163:80 c.pki.goog tcp
SG 23.106.124.148:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
SG 23.106.124.148:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.132:80 crl.microsoft.com tcp
SG 23.106.124.148:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5 942a79c84567438282ac82f675aaf803
SHA1 7f4cb80d3f36f09c7e598635802afaa9757d76ad
SHA256 7b02890381fb2641217760706225493b12e3cdaa759be01bcb74b9dfa7dffdec
SHA512 c8f12ffe6f78c2a0f823f8b5658b6f907a72882aeff5368c733cd524e3c765e7c91931b8778c3485858577770957e2d5c5b529f87463e94fc2d534be3f22e06c

memory/2552-34-0x0000000003650000-0x00000000036D1000-memory.dmp

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5 b8c7f57132531317f87259fae9e1ac73
SHA1 9a116a2e5d40d3ba2384885576ecc830d57f7dfc
SHA256 461490a3713db75a6474efd8e8f188bdcb8fc46a78372e62eabc89b64d76fbc2
SHA512 e7f42d9de87e0f24f1016d597e95c9a4a0441f73e6419501a82ab8aac942b50b28c820b2c82f2102e8a65e00624d0082fd03fa301ccb547f0288a78cd4001a9e

memory/2848-35-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2552-37-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-40-0x0000000000360000-0x00000000003EA000-memory.dmp

memory/2308-39-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2308-41-0x0000000000400000-0x000000000048D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF9A31B1-63A9-11EF-BB68-FA57F1690589}.dat

MD5 41479b366c297a9ec1215da738f26b04
SHA1 2f1c11eee0493b9190f7b6fc4150252b1eb35960
SHA256 d46301cfb6b42040d92bf7481a049d9e3161aa0552389dd6117ba16055b6dcbe
SHA512 6abc1e676d25065b9019691a4e4e9c5fdd32c92d1f744572c044130779037de24038a9493558b2cd6cdb16de5112a89440527a6790f92f5ebc8582f3dde0a19f

memory/2848-49-0x00000000002D0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4D47.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ljg9kkp\imagestore.dat

MD5 2e21f0372986cfcaaaee1b0f0d5be1e6
SHA1 2eee7a6badc9b2eee5ea51afc6ca8736bc66c185
SHA256 e512b4806e66cd0d7d351a01a6b2541c63e0f689ec518ebe9f824c572e622853
SHA512 b335fdcb5f63ff05ea0e5d659c4615c9eaab4a2df4af22cf11b22857daa3fbb439ce51674527d77edd199c382cc9d1327f0c3851e7ed3dd97334b36614cc6d4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 20b7524567b5b9ec0ec0025c7eabb2fd
SHA1 6317114abb75687fbcbd0a21e54755977e10eda3
SHA256 432e43c36f1bd4302dc49c97f4d9a68eaeb7b274b58844bfa88114d2ebae2794
SHA512 d0fef4421e5ad8cdf70fd37b158a4244453ca071cc8564d49410a8418deda1a4a0d0531a6c616ea7282302503143c4ad56c7fc02f60225863689b24e7ade38f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 ce077e01edbdf2d256967567dcd44403
SHA1 d9a8d27aae55db8d6772be127bd665eac0cb3928
SHA256 f8f3afe6d85a7acacaff41f87e11470a2c05866eb4001b383a235ebe434f879e
SHA512 2d64e67b0727fd4ddcc2dda8d933afc04c3f4f89d513354cbb7b455d36d22b5959e16dcd43b644b8975d0f2e4a93faf933c19c373728679aeb62c1741d96231e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\Local\Temp\Tar567A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MDWVMU6K.txt

MD5 20f2557d9eacf05b51b135d24744379d
SHA1 a1c430df9bd802330bb6f1b72246d894be49cd5a
SHA256 e0eb961c9c766045a80f2c03abbb6d8a314acd57cab26558cc305ff2fc30bf2f
SHA512 fa9484e53f79c87114aa88c79711c9f6bf623079a4576d5247c1e2653da0b694aa389736fea29c18961bb8839a3dcb4adf0ee01180b54e03175d8b943f325cd8

memory/2848-111-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2308-112-0x00000000005D0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12c87713a96bcc9d9ca81e0b9fe0afcd
SHA1 041c1f56d6bd93733983034a3a8131a96739d316
SHA256 1b1cebaad2b9532a8ea702828fccea8583683a3339891e42eed49ba6ce420401
SHA512 7e4224898712f48b6ad13d3d4cf051c10cb644efb04ae29c897ad51b8a3b84db1432b9bd78401049624e2b3ebf6ca04b01113cce8a32079caa90a885fdee6779

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b16393da8a59289f90f23ee736c18d8e
SHA1 b125a020e007aad682869d914bcfd281f0d23aa1
SHA256 6b89bafef770f519ab466dee152379b7427d196db8234e7d5832bc1843600068
SHA512 3a7389973f2c7184db5f5f3d0b951c05acac57298727f4040d542df13b96929fb5346761817d407858f3b7fc5aa2027ecab65015cc745ac6285e6d3eb93ce4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afc345bc8e6d8d3acc06cdb8e9660b4b
SHA1 c65f9c6535ded4b2ed8cf52dc71b41889d40834d
SHA256 e2394da394449a06988e405b24a2f8360ffb2d58917dc0dbcf33d2d57ef616bc
SHA512 c172b02e4ddb019f2ffab0b346cb2c3fbbd1f6e86a188696a194b4dad18fc443a65cc8a713215c02d0f94df757917e362885ea29db5136816ff31600d1a0b5d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89ee466a2cf7978ebaf9a8f973f3708f
SHA1 62d47219b6561e29d299d7c1f2af372178e0b511
SHA256 04ad7602c194abeaac2acfe3241512cd131d50f722050c8bc591a451a2639a40
SHA512 f2276ee757e58cdba3fb4553f0d80c4267effb94f6a7ebc825dd0ad24d7f05d3e85cc06c20f2388a53f69d8140bc2aed518ed20ebdb12f4009b17daebedc2c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c816a87b0f14a02832c393dbf66a2eb
SHA1 2d73a6651eb32018e723a1065006432c8d394b59
SHA256 45c32db8f926eb8c44e701d78826d7b987ca17d889f9b56fcdb41d1ea9e99d3c
SHA512 fb64d740d5e5f696e9dbc162339f4296403053417538e2655477bcd7b47a3bbd8efff5282840ffbad8e6dfae2d5d971a9c045edaacddd50e09a5115a16d81bfa

memory/2308-307-0x0000000000360000-0x00000000003EA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bf921a2a6e21ea57247c139f9565e30
SHA1 217156b6e3e5865323dcd8569571b0baaeb1b39b
SHA256 8f055c6ac89e6dcaa9eee9a47deeafbb9b40ec3275e90eca76a366ad15535dd1
SHA512 2a46e326f45a49c7254af65142bb997d3149c516cbe916a04d832745d1bdcb8a542e7f810f3732df86a034eed31f864b0952e7627a3fab5f600f93539ac7913d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e815ab34ada458cd991861676e83df23
SHA1 8810c0aca45f90913ad3619bd95ea12bb4792f96
SHA256 f4f9aef8be81c08899e6d7677bb4bee61785249342dd0ac7a350a6186bb69621
SHA512 8c14aa658e9fc79d04abd0b3406ce121f2a8fa5f542f0e2cb2fde547523a3969422f3a804f9b3cf5bdcb5c33880ea27c6eec5db73cef3f494525267293caffe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 692725237654856b3fa53f409d3d748d
SHA1 b4e0c35464b962633fa442039711bf61be1d5089
SHA256 eeb38750be2cd39448b8bf314db1ec6d64338a374d9f9e1ba7fb5eb1618b383e
SHA512 7a71d5db2c84d0c2f6b26315df1a331ed707c32d4fc18b030659916218be13b9fad30a59a887ce0124d6e5e1fed47ce27886757428b8bc90ef570fcef5de0c5e

memory/2308-434-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2308-435-0x0000000000400000-0x000000000048D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b12db9813720760d3e3ac9cc800f9b4
SHA1 40df293d5aaea3995d7a1d9330903194d129d35d
SHA256 93c5f516c3d6df91f112562b49147af19dacc83cac5161264cf6caf885cd18c5
SHA512 27096d5a3c51455e6ca8f150f3a27619bb18a2ac66556e331c2cc41b659365dad71598230e440f774b9f4526dc99f68fed156ec0285cdd8d98d204ca851e22f8

memory/2308-551-0x0000000000400000-0x0000000000499000-memory.dmp

C:\Windows\wotsuper.reg

MD5 42f073434559fb6b9c67aba86de89d1b
SHA1 9b969de41fc717353619068e46f21ec1db093ab5
SHA256 03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512 b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c628a1c9bfdce1bd0482146f98e2734
SHA1 ccd3101a3f22831df22bf02989c5ec4c918ab1f4
SHA256 888c67f77cf72c595d108d414296213abc610571e2e0a13288274fc86123017b
SHA512 b13e465343f32c10134b5b363746fa7ab6c23f6eaf795d4e10df08cd16ddf34014e10dca4177b28bce311972c28aa1da817714a807efa9c76de76c3c71068263

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ec43d67b204254832e52c53c14f032f4
SHA1 9619256d0e8e3b450ab9b76ea6b7ae73e39f9a62
SHA256 3c3c17c2abd5788b6b2ea96a3617db985c5946a99a72ed2d99fff1ac30bfeff2
SHA512 46679d20bde90c9a8b34dcc75d07c04c0a4fe62f3cd38410e9aa1cf8b9a921c138173f768a30e6a1b98604532ec75e4de400fee9ff5b5804305a5b8df91e5b64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 727eab0399c9f8ec3272f6c1f28bbe70
SHA1 372de33ad4e3d1977d42e46c62577509db5aece0
SHA256 e40f880b954b9b8afe0eecbf0881b3b2834d79bd569e91ad9eab3909d22f5c94
SHA512 183011f35c43fc5daf24979f8b5146de474ff839997f86b443dd343a9d8178b6e337a0adcfc6ef2b8257087a9b3a56c4a8a084fefdfd7d9992c327e949251ce0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ae4eeda83ff67cfece325995da66c21e
SHA1 7a6415750fda1d92364e708f4d2c37c778c6b2b0
SHA256 3296a4f9968559ac0c3c2d9b1a48b689ac512c528f5b9a53eb3631b594840bc5
SHA512 15f70897ac33e69c56f7b68ba59b1ec028bf2fc3f884d45929d8b72c0fc776c7af33e5b477fe00a2484856b0b3a96a7f6423515983bf1c954d366637b94a7e95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 ad2b88ded273ac1b00d581d49afac68e
SHA1 03b42a8f346c71c2465ccaf05ef60f5458aa191c
SHA256 31a7bff46e6fc8530691aeabf8842cfefa53ffbea0210700dff73f2ea01353c7
SHA512 f91786742b388b9f86d4212e22441ff36d39fffeb44812b598fc7298f52c621bbbeb254b4abc541d2d230c91a43c77a68481e52be4c14cce487ea6744318f542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 305824eabdfd4e978bf966adc2c3acb9
SHA1 05cd216de022b4afcfda69ca866d679e34e3508c
SHA256 42894bff37c94f8eb4182a43ee1a62cabce5f4b72738eafa8c983035ec5aa4d9
SHA512 95b72d76d831cf9dea8ce8dcd7952bb222e9ae8acedf9c86ba0c179c262afc830d50b8fdc9d2749f3e016799e62dff3a1b11936b87627f5b01fed08d3fca9ef9