Malware Analysis Report

2024-10-19 06:57

Sample ID 240828-r6948avalj
Target c7107a245b566b976846e8dd62fa2db6_JaffaCakes118
SHA256 7997b23c4aa24f9cc7f1c48c78665dfc636327bd7529e9127b89f28483f9f551
Tags
azorult vidar credential_access discovery infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7997b23c4aa24f9cc7f1c48c78665dfc636327bd7529e9127b89f28483f9f551

Threat Level: Known bad

The file c7107a245b566b976846e8dd62fa2db6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult vidar credential_access discovery infostealer persistence spyware stealer trojan

Azorult

Vidar

Credentials from Password Stores: Credentials from Web Browsers

Vidar Stealer

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Reads user/profile data of local email clients

Reads local data of messenger clients

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Runs .reg file with regedit

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-28 14:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-28 14:49

Reported

2024-08-28 14:52

Platform

win7-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\wotsuper C:\Windows\SysWOW64\regedit.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wotsuper.reg C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD064F91-654C-11EF-AE10-CEBD2182E735} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431018442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03dba9459f9da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3068 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3068 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3068 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3068 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3068 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2836 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1696 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1696 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1696 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1696 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 936 wrote to memory of 1484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 936 wrote to memory of 1484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 936 wrote to memory of 1484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 936 wrote to memory of 1484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RE8i7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1iB8r7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/10f7w3.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 anorelier.hk udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 katananestwate.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 anorelier.hk udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.234:80 crl.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5 cd0b418e6133bfff4c3b9c229bd53a0d
SHA1 cebaf473d0a171f6ae139057dfb76f9bc9ba9e87
SHA256 31b7a91d6ee9c6010d97cad1e8d97a47e8badef7b4f7fbbaac004ff7c2ca93bf
SHA512 6fb913a16755a60f0d88eb7c8941b039610e357d1e41e05c420a9fcd33b29283abb27e4a72e8dc281e06ddfd8bd980b252ce34cebbcc0592b8c575e9f92d458f

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5 276a97adb44e4cce4549fe20a28ffdb3
SHA1 d35768c7b9d30907f575c0042bf6355bdce0add5
SHA256 fe6da117e9d3b643f7e80309470c622a3fcaa7a3b395955a6ee8660453948d2a
SHA512 190aa8913ca65228e800809307cf27eca6686e62ac31bf484c8ab7e0355bc94ba09ab5481249018296305dcb5235e3b4cd0c98957c89fb0a72e7a916112496cc

memory/3068-38-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BCFCCA11-654C-11EF-AE10-CEBD2182E735}.dat

MD5 206e4a792b88d0f29252ab64628b1e75
SHA1 76bdd72a3d3aa89512484e1257534cb00a5f2101
SHA256 b6c443fa7c39fb7936e6f8f934a88bc541981ce0fd132aff3588f0feb4bec4b5
SHA512 178f2f6f7392c71f003fc5b46b8cad268836b7435e43bd6b953ccb2eb5a73cc44701f8272bfa7e330482249f64436566e1819a1fe99a820f547b09b52882e071

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BCFCCA11-654C-11EF-AE10-CEBD2182E735}.dat

MD5 980cdedb52246dc7c84d531a2d9ae214
SHA1 85ed13078641bca210843f487ed3e0c7f213ac74
SHA256 d89f65283de039536b6a72c7a18486a37573b64fd3237bb1328d0acec3749662
SHA512 b94f75395c90179f922303e5541edb209b32494184c4d0adc4bf58df19020dae757d75fcbeea403ae6f9c9eb6b96d7b588513e278dafcea7d099e0b7e46fd4cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BCF80751-654C-11EF-AE10-CEBD2182E735}.dat

MD5 c39b144e4116bce2286b21149244d084
SHA1 06b52e13a42b2e2f0ff51b881139a541feb26eff
SHA256 df524303479607867d6acc6ebc0ae04dd919bf9632eb945e66bade5588a5a057
SHA512 ed851a98278a4412a46ca6713d265659552b3a863d21126c3424509f69435b8ce4f876953ad898afb254b48ac1422c462a237d36daecc2d94bcfdd554e2c0fa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 83129105d8111f3fc06f196688944de9
SHA1 6b63ee5836cb065f002122e0a3c83523221067d8
SHA256 e9c4dd5dc063c3f1f92e22e45c9f163faae377f84cfa7e3daa6b74fd99e9fc27
SHA512 de67c5dbe9bfe2293886cdb38edaafa3e45b2c079f6bb9b7d732af71ccb0e73b109a2666e52b3f4e773e74337f1ba4f418c663df2079404734c9aefa7425a8b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 5130a803c23bddf5c80d09f4a9f5fcdb
SHA1 591c65820aa23e8922ab7e0f419d0b7064ac28e7
SHA256 0814aa34c32f5088728f393789836423ef7c59765990b14e79d3b8ed399a027f
SHA512 83e92f4dc61b681ee45f3eaa243a614112042d8c648e47cf1c61478e7589bf3461e73c0901afbbabf1cd63806174834f47d64bab40fb2334df82eda35c89abd4

C:\Users\Admin\AppData\Local\Temp\CabDC4B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 93a0e43782907e0f0b9883780cafe013
SHA1 2fd75c2a5015d5bf65d5912c052e38adb130528f
SHA256 c16b8cc5fa977cc68d3c85ca398ab800dc26945b27e8db2c588756d827d46da2
SHA512 78adb2f67aad5b9f938af374b7f71a80fb29ce2238b12d8198f9db04bff6e11a58f3b78167cfd35dc50cd10b5785f744b8f5ef34e6a4719e002975136fdc8a61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 a52f6f133addeac0316fafa84420661b
SHA1 23395cb5e86374b52a56467f8fe887311ab2ea67
SHA256 5842227f38e95b55892a058e4eda4c044a4bb428cc569f8f5a896a84efaa31dd
SHA512 2a03923cb7ef38b5cb27f925371219866f080b67c61e5da0c87270a39c6bcd09cb3574a3cadef7b28efedc55585dc66d7880b2e989a9dceb873d4f3f8ef6e532

C:\Users\Admin\AppData\Local\Temp\TarDD46.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N1D1IGSJ.txt

MD5 8da8f9ad720b961671f5e2cfef9cee19
SHA1 7c994a438ef5a41faf27ccb73d6e0467f387bd68
SHA256 89971fc7187fe9b261ae4e872b05ccc165198233ea70f9f988568f059491481b
SHA512 af0ec0122cf9d52a2954359d197cc22afa6e09334d9a273e680ae3241785cd93ae8f747cd26278f2703296c118c5ac57add250b01c281441195bfd85aa280d68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MAUKG6WE.txt

MD5 6d6daea138d76535db19035872825e28
SHA1 37cebefea841e55d1e1da79331739443526d3a70
SHA256 e984257af83354e7fd6835632b01e4d994afe76f0cba7e86b4c3b0eaef04d869
SHA512 b5c379f17edad0adf1d5b44e54041caedca24c4d69deff191abe501db031600a6f2d688bb16d28a44011917885a804fc02adef124e6c55b0f40f792f1790027b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5f5nsah\imagestore.dat

MD5 5c560c0a4eb972242f7599bdc0523449
SHA1 1708e303e95893486ddd1b896c64f2f8e317cdaf
SHA256 d56204c364d0bc69c89c11c94c843e9c9b35f9bace8b910633b085bf3b4616c5
SHA512 60661b591ee60755c9da7a933eec9e539f05d60fd4d5579e114faa520b42ac108ae71bc9586532873b357a2f0d7b19e727fbc4b72cf6fb696a27fcfa2e910448

memory/2468-133-0x0000000000400000-0x00000000036D2000-memory.dmp

memory/2312-134-0x0000000000400000-0x0000000003718000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2972bf5ce2bfc52f64d657e89ed7e7a
SHA1 f86fa87c1ca68d3032423f13148f1ad9a699965c
SHA256 7c68f96a86a3351e5a5017234e7c637f6d1f3c5f7a82df9773b908820d212e01
SHA512 ed436fdbe9ba7b3c3dadbf0691e147b5e06db20ebf0ed3aefafc659af1c01badef0919abd78083e0010dd3819461d59db03cedcd59b1f6911248c873b76e13f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 671822742d87b8bade1bee9bb5631fe0
SHA1 4b6582d96187671752adaedc6e9b9f4f48f3a562
SHA256 ab23113f3699589fba55be294204a0aa6cd370265bd3a8b7a8bcab1adffacc2f
SHA512 a18e52d23427b9924f5d8b95b09979805123b73194792284ee3d009b768bb9115c9427e99711e83852620a54fd2b638fb5c9a7da714dda6756f09bb2c88bb29c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98f0555299cd85f068cc896b18417291
SHA1 b86443f7202190c2107d1cf33fa36cdeb59a20b6
SHA256 1447e98bbecd0fee4ee1ac6fffca9b22d8d207a53c9800f2dcee95ea77e16db0
SHA512 b3c11ca229d35e45ed3cc7e7a37e1f9af1b1309effa046e4507418b2ca374ece438ad9d402d6afbe4070fbc2a99a66a7c80e249d2fd5191608e11e488d8246d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a50cd54153a57e0e5cdf18d0e0d6d489
SHA1 9a5842bcc4c5a39136ef108a0f606a4dab3050ab
SHA256 c28f184e64469adb7db7d4f03273d38b467f80dfe8ad69a3a7dd8ec31de65e01
SHA512 2dd2336b082ac7eb47a54dc50eaa63ef58eb96f9fd5344af7c48c12ba12e4ba3308d22c39d234700a1bf5c50776d457747a0386432cb55a53a42778b0721f52a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fb5a295b54ad206e27f0d7d00d735b8
SHA1 25db918ff1b80c0c416b09f162098d6fb271ec73
SHA256 fa4aa7372d916649f922e268ae57ef8ae5fa33505914986c3d10006dcb231076
SHA512 b099eefe8981501da9e6d68de6450ce945e19fe73f1859d4c71fe692727f99e9bd2ad4bb501f0f721b7e1de9a900274a4971c330adc04273ba6f193f3738d344

C:\Windows\wotsuper.reg

MD5 42f073434559fb6b9c67aba86de89d1b
SHA1 9b969de41fc717353619068e46f21ec1db093ab5
SHA256 03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512 b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37b8425149ab21ed5a7a1d910ad91924
SHA1 5bc41501fb31fc44bb9f07d3b0acc2214a880e52
SHA256 148b1dbc31e0b4bf1328f4790f81d11b91b9c7f76bbb8285f37bf71e560dc978
SHA512 dd006bfec01c983b0493daeb8925f58f3d7b0b61a1111605f99780d0cec374c4d138bcbcbb204cff2251fba328e8b7ae98efad00912ef65906f6a5a868988b6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 daae20515cbf59028796153ba379d0ab
SHA1 c5c3f84433f6a1985865a8c3ec7a8f8bbff04a6b
SHA256 678a5735826c2b18bd41bb924cc664d7fadca640339844cff97596f93276920e
SHA512 c7d4c42f0dec927d12f11ad747d07e67f4b71e71b2e7cf2134a65c779964e04f407ff7d86c47db4bc4bfe4af355ec59a73ffdda54ce262541ff03fc384c720f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3f70d92817536d4bc617efc5d27d26e0
SHA1 6268db3d3062484f8ae493833e15457846026054
SHA256 e0b0f7e3365747818f3d7931c94692c46e9464fdb2a21fa08efb8d23dd260210
SHA512 3be32507c1a8dbea182996075ee6d22644f6ac63064794faeaf373c1fdd2b2ef2025c7902bb76a6ded66794fecdcdc11fc1e9f83042e446ae958fac7b3f4fa7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae82436527c745664b99045bef7fc603
SHA1 4c867fb2ea778fbac36d8d78d8096de51040f807
SHA256 fc93223fcd794880c5d2c05813c17857cb3c440b7792ea71430cfc4aed12b8de
SHA512 01c7c62b2eac60f8eb093b3a9dc5b3d4b3d41054f7ab38aefb4ef6a63937adff1773d6d02cc131d3c206cb1dcc5713be5d206ff997c254c6a2da983639f8bc75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45780289238fdb98b79e3c2ab48fcec5
SHA1 3166e0bba12630cdfb403c419552c918306d5b16
SHA256 6fa8b9c97888c7dcbdcad2f761cd0a6bb525ea75b37760231bc095a631de04ae
SHA512 301854e8886f89e8e2954298eaae26a251852c924861e25569e767446fc045e6c240afb1dc96b98d85e9047f837cc6b6778829ac3bf98194486ed68e3e7ca3c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ba1fe6b5f5447e4ac13dc278fdde223
SHA1 25a53662b2ed242d6ed81029e778bff03bb8a554
SHA256 ec5c7bb7aed54b9eae2a0318b3a9117be9331d14a23db442eb0e921104076b99
SHA512 e1e41df7b86179fba19c1b46f40d4e80e55408cf690d8ca16dc452aa5d5594fb489e68275967a25395aca3aab590a5c25d7469c0940fe9ff29bd9737ef96e7d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3790eabc2300a8ba9d81dcc58334454
SHA1 da5f16fcd8f9c4dcdb61bfa276614a08f8be207c
SHA256 804f609e1583510b0732e678af5ad297f371bc80d5af8f26624cc0b2d6b64155
SHA512 3219feacb477f48fd37902f37ca1586f3b4f659ddc635335b8bc1296fc21aa382865a466c750332c05f76944e5b638cbc53d1aebcc6594056546a23037c332cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0589f57f42fd4f39c2dc4b50795daeee
SHA1 ad22ac2a60fcae1bdf4837a7cf0fc35779a7ab29
SHA256 78a1ab47bc73cd32611ef9ce05c998cf62429ae370a0a9ab91300260d853fa6d
SHA512 0a5aaeaf733232f1a8c3e8e9f61e42dfe38a1b53570187b46fe1620257789b0f7b4034b8fcd8c08df746a1446970f1eceb752c9edc077406529526c58b624179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f4e713e001e995dcff83c4b4caf8963a
SHA1 c42b7dd388b0a734da31471807def6c465bb9781
SHA256 3666a2815d13f7059e52461639fa66e3c77184ed4b1f8f1360bee6234bd5ab0f
SHA512 b9108b738b51f885129ab167c764f9e4c2236ad69c76fe125c1fc9275f6b7791ee9a9dff97fb7563811436ab0e5220955ee8ae1ebf43a87f6198022979864271

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f9eecff8da2911ab12b3b8d98a2345a
SHA1 54d0b9273576676a5a2e9307670335f473360f06
SHA256 523a05a4398af63ce6cc7d17437ca3efc5d45d57982ffc4ccd6f657b88d568e0
SHA512 de427c995ea1fd45712c4b9160197768aaa0a09cc14e45821035f52764eb9795aee4f52698085906e59a2bb8409318a37f94a47a96124be928850142a285fca5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9134026658fd9eea1cd71facb29901f9
SHA1 2284b16cb500df87451499f9e6c05e67344a6196
SHA256 b962be041be5bcae72c794618f74b5e0ddb766c553454fcf2cee53b2abee872e
SHA512 d81afbed4a2816c4eb91485bbec5fab5111a6a4e9f6fe31df0723c2fab2f1ddd42537c7bcfa2b655ed39fb550104aa1b261146050814661b9191fbf5a06fe379

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 081a62b04f924b548c5fc89cfef124cb
SHA1 ffe2319d01d82f14e69e0dc91a52474cb7128f95
SHA256 dfe69512be5aa6776384eba5235aaa0dc3e93ccd7126e7ecf8d9f54610b33e2e
SHA512 1b0ab7dbf567a04dc1b2eb59fe2a5022ac0aa2bc5fbd9d67c2830e65dfe59bbf264282c3f3aa21872a2b401baa771b0fbd521fc464418ab047b5075f5cfd83b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-28 14:49

Reported

2024-08-28 14:52

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
N/A N/A C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wotsuper C:\Windows\SysWOW64\regedit.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wotsuper.reg C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3904 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3904 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3904 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3904 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 3904 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3904 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3904 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3904 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3904 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 3904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 3904 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3904 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c7107a245b566b976846e8dd62fa2db6_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RE8i7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4304,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=4264,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1iB8r7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5364,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5388,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5792,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:1

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/10f7w3.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=6028,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5564,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
GB 92.123.140.42:443 bzib.nelreports.net tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
GB 95.101.143.183:443 www.bing.com udp
US 8.8.8.8:53 183.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 katananestwate.com udp
US 8.8.8.8:53 anorelier.hk udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 anorelier.hk udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 95.101.143.183:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 katananestwate.com udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5 cd0b418e6133bfff4c3b9c229bd53a0d
SHA1 cebaf473d0a171f6ae139057dfb76f9bc9ba9e87
SHA256 31b7a91d6ee9c6010d97cad1e8d97a47e8badef7b4f7fbbaac004ff7c2ca93bf
SHA512 6fb913a16755a60f0d88eb7c8941b039610e357d1e41e05c420a9fcd33b29283abb27e4a72e8dc281e06ddfd8bd980b252ce34cebbcc0592b8c575e9f92d458f

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5 276a97adb44e4cce4549fe20a28ffdb3
SHA1 d35768c7b9d30907f575c0042bf6355bdce0add5
SHA256 fe6da117e9d3b643f7e80309470c622a3fcaa7a3b395955a6ee8660453948d2a
SHA512 190aa8913ca65228e800809307cf27eca6686e62ac31bf484c8ab7e0355bc94ba09ab5481249018296305dcb5235e3b4cd0c98957c89fb0a72e7a916112496cc

memory/3904-42-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\wotsuper.reg

MD5 42f073434559fb6b9c67aba86de89d1b
SHA1 9b969de41fc717353619068e46f21ec1db093ab5
SHA256 03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512 b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

memory/4328-57-0x0000000000400000-0x00000000036D2000-memory.dmp

memory/3780-58-0x0000000000400000-0x0000000003718000-memory.dmp