raccoon | 361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20

Resubmissions

27/03/2025, 04:11

250327-eryresxsgy 10

16/03/2025, 18:38

250316-xaftdsxsct 10

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample2.exe
Size

871KB
MD5

dd1b734796b4aa40af46b4d69e1e2da2
SHA1

d5273be84dfa0c54fc9cefff7bcc24fed3e20e1c
SHA256

361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20
SHA512

2de21b09091caaa2cfca919fb8e5777afb80ff1eba12b81b2f9a6fde3c94aea52f3bba22ad801bae37fb8816fc7e738c54fc2639d8f6cf47e04d4bc0dbd2af56
SSDEEP

12288:iANwRo+mv8QD4+0V165iTr/erjzuQhyACzHDxx/PI11TUeJpIPxSG6zKzxSg564k:iAT8QE+kms0LrSPY/TUeJ4jVzCW1qQa

Score

10^/10

raccoon vidar discovery persistence spyware stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral2/memory/4460-203-0x0000000000400000-0x00000000032DB000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000024228-29.dat	family_vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sample2.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	wotsuper.exe
4576	wotsuper1.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wotsuper	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
6	iplogger.org
7	iplogger.org
14	iplogger.org
15	iplogger.org
130	iplogger.org
131	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_1649976610\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_941252646\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_941252646\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_1649976610\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_433801132\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_433801132\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\ct_config.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\manifest.fingerprint	msedge.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	sample2.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	sample2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_433801132\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_1649976610\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_941252646\typosquatting_list.pb	msedge.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	sample2.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	sample2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_433801132\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1128_433801132\manifest.fingerprint	msedge.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wotsuper.reg	sample2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wotsuper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wotsuper1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866239344316012"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{2BFC9212-1914-4A2A-A688-BFAAC73DB0CB}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
6016	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
4576	wotsuper1.exe
5156	msedge.exe
5156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe
1128	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1128	1508	sample2.exe	88
PID 1508 wrote to memory of 1128	1508	sample2.exe	88
PID 1508 wrote to memory of 4460	1508	sample2.exe	89
PID 1508 wrote to memory of 4460	1508	sample2.exe	89
PID 1508 wrote to memory of 4460	1508	sample2.exe	89
PID 1128 wrote to memory of 4500	1128	msedge.exe	90
PID 1128 wrote to memory of 4500	1128	msedge.exe	90
PID 1508 wrote to memory of 4576	1508	sample2.exe	91
PID 1508 wrote to memory of 4576	1508	sample2.exe	91
PID 1508 wrote to memory of 4576	1508	sample2.exe	91
PID 1508 wrote to memory of 6016	1508	sample2.exe	92
PID 1508 wrote to memory of 6016	1508	sample2.exe	92
PID 1508 wrote to memory of 6016	1508	sample2.exe	92
PID 1128 wrote to memory of 4868	1128	msedge.exe	93
PID 1128 wrote to memory of 4868	1128	msedge.exe	93
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4888	1128	msedge.exe	95
PID 1128 wrote to memory of 4888	1128	msedge.exe	95
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94
PID 1128 wrote to memory of 4884	1128	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\sample2.exe
"C:\Users\Admin\AppData\Local\Temp\sample2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ldta7.html
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2cc,0x360,0x7ffb5eb3f208,0x7ffb5eb3f214,0x7ffb5eb3f220
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1816,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:3
    3⤵
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2368,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=2360 /prefetch:2
    3⤵
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2236,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4320,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4944,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4960,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
    3⤵
    PID:5424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
    3⤵
    PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:8
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5876,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=856 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6320,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,9355764129004521216,2440258947216947658,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
    3⤵
    PID:3164
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1smEq7.html
  2⤵
  PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

Filesize
449KB

MD5
7b20f5c61780fe383f45ca6e18ed5a6a

SHA1
bc9bfd59f0cde312cd9a0d20784887fed9b8c836

SHA256
26ccbcb079b3f0cc183293351c40da3146d2ddec9b4d6cd314090cfab94834df

SHA512
8a63f6ad20fe18bd49d055ae05bc81fe30d0ebfb25a37428b17b43569b53bf2560f0de8f993f62a2f5d458db78e6d24ad71fca8d7fd1133d3cb499dff356e68b

Download Submit
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

Filesize
544KB

MD5
b8181cb72764c24e73c7b6204b16bed6

SHA1
c430cc4776ff5e21d08bca9a0d73cfaf29108fa4

SHA256
fdb5a0d4e97ee36d2b23605b0d8a2785d08d046058f07a8714e4908e8a2485a2

SHA512
bd63970b846bfdc6990b803e12028c692bc3f3125df03c3b9ec4626e1ce56dc43313d37c71337868ade0e4da31a5eca971b453242829b7312eb7efd2a407de1d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1128_1649976610\data.txt

Filesize
112KB

MD5
fd8717bad7cd0f60163e7c2b05210aaa

SHA1
1dd620b2a4b49d16a63d3b73495bbb0388cbdbc9

SHA256
d5facea6ed705ea08962d52a30ebf38f6d42aea50a7af21b103d0388b7dae34a

SHA512
7b3d3867977b04efce86c5cce45ae0125d25344fa85347a83977faaa9ecd205774a976be63d6af48b953b4ca355405aa090d6db482073f77d71607c948acb5ad

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1128_1649976610\manifest.json

Filesize
52B

MD5
8c32b9f390fcc4f061885661dbe797bd

SHA1
c681595df03f9f74ec600e70069c879daf2ca923

SHA256
1431c36e66b4fc53ca74e9b10ea0213245631ad7543fef183a8dd2720a5b4ab4

SHA512
e8bbde18d5de7fe2a8162951d3fe75460efbee71afffb4c0c22f2088dee146fb6bfcccae18d4955608e60a7df716eeb47c0687f45344b45130b368eeaf316418

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1128_941252646\manifest.json

Filesize
118B

MD5
ffa5fcfeb00002903f6cf667e9fe6a3c

SHA1
ad765ea344c8cfd95a591da8259fe412e52d13b0

SHA256
dd0679c622258bad2e2ddaec3470297259dc68b55b8c4f4d7f2f28a378826217

SHA512
8da9b780e9bc6785efbd56b51a4decc8703c9f1d41b33469153cc0aea8190c1b6a9001128c6022756a66ee539086ad6f787da84b6b7082dc51939077365e7beb

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1128_959423359\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0d82554838d50743110c6ebee0bb39e9

SHA1
622dd4748d095e01376d9323b19d5ad270ac8799

SHA256
4bdcd3465e47faaf932336ef21795dfa3cf56aeffdc465c191e2032cc2b704db

SHA512
826b6ef113ce2f11fabc9f9a145405a978b65791e5505f466e0d1b7ac0eb681bae6285437df68db9b0c7fd35af066fa68d3c487799446f8bc14721083c4b37a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
4752e64826481d2adf6757678093fdc2

SHA1
155b193ebcc0d7ddc79bf0eac8eb10cc6f64a2f9

SHA256
2c0186564244cc73ad95162f001eea14636a23c3a8bd2703b8695dc8fb3e1f41

SHA512
15639d8fbc50c836d5c317dba08e5a678344d35f2270bd9bfb77e8c1a8d6b556a574ad76eca2f4b6f755d23667268c4e49a507bdac3c500ef1a6d638ae336561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
08ab5b34ef541bb1039678c139b34853

SHA1
70c24eb2e1c43dfa97d5ebedfbe0ac50c985cf04

SHA256
a012862344cdfd46708c7676d21180632924947467f7896795033a3c6d1eaeae

SHA512
5c749c9bd790a8658bc6aea30a8320bf81fa4dea777c70218589ce64c0858fc2fe784a0f749b8f20057e3ca7e2f4f33d52c7ef40b9b1d5523d20e26e8ac3fd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
03e42ae1e514da117074673ab399bd25

SHA1
066f6cc9a11ad05b3923b20dbc98fa9868d318a4

SHA256
19612c7cd1c3195169652e4b681c1f94b1b8a5a16ff933fd0c07aed99032fda6

SHA512
9c35f266835e2c49e698bc008764caac779b79681391f573f9c5a954441ce083533b737f3b86d69002ea81cc8613fe77b24efcd6215922daf737a3b75f63457c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
a6abe42d5f2cd85cec119a391212591d

SHA1
f9c3a62ddfbcbb584aade467ef233dae8ff4053b

SHA256
87ead92030b38b11ba92c0d01a8c553348408c3a5edd71a74e5e12efe1110653

SHA512
e8e8ee9f75a5a692a973e25a660add15b221ecd49276d47f27fa9b7c0dc28e6721ac80e92d0fce815488ebcf102bbadc4610839a6afbf1cc47170777fd4a347e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
464B

MD5
99f52045276fd25f4e74427e76b25408

SHA1
10c8da6d967280f9dd07930e741268db55e7f101

SHA256
f684ebc21ecaaee6f2e6c5bdeba5d9a412c8cccf80c3b362b71b2d86f0924dcb

SHA512
68fa9aa55777e179a080f470f97f9e56ddd5aaf6411a04c22aa6a3deee5972c265a1effb3dc1072802914d9a12bed31bf9f5e0fb5d54a2b235328d9f134c4b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
78f57f8be2b3a30d3ec91e923c0ff351

SHA1
c636f2a4b46e78befd09d1fe5a7993f4b4a88838

SHA256
9cf07a94ad0c338d11b231f3139c60bd85b112b22a165647f54df087ee535dbd

SHA512
01f80d286742ca4379f6c0d1da44328a9e9280c2e24756df4179bd137b310a1a5866529a63e38d57a44018dfd884ba5abad2194c7194ffc0caf691062e6b5460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
61c6a16afae91b0e42a2d6c1076eb3a0

SHA1
4eb65d1c918457feedadfcea37ee7a0036423d5c

SHA256
8b416de76023c4213d7e7f39be16d9fe17e2cd2a21dbbe072251363630c23b8b

SHA512
d14d398681be43589942fd4700a4e0dbe044899cf4245343d7ec1d4c15f70c71680e47a39c860fcc79c160853d3d9a6934606a82081893cb0da1f5a1b7c648db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
d79049d11327b65c73f08f7e6ae1cf5f

SHA1
1e7ef840dd8b7267bc0fd1205c909b8e1e4c88ce

SHA256
fbf494e0f8d8b359684728d3bb4512f411c26f2441babc0003326de56d7c0bfb

SHA512
5294fe030a967c05b753d5e279ba0a61243fafcde114227305db2dcff608e5908751a94ca67fa8c85524dd1a6a2d9cbe4893d660666e4fed44ea2a5ad3761c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
fe3fb6b4de436c98071607700923ad3d

SHA1
fb345fc9185f169cb566bf69636e9956e5fca964

SHA256
0dd713eaf31b6dafc878bf6f9f043421be2f103bc8d2320cabd2d38b3b6fcacb

SHA512
31c78b6ae0f2da1a2d0a95b670a27620621f5a70de6c6ccada67b9a5a7095fc91d1ab4b1e286482effca6fbe3277ed50ab945f3deb8e7ef101be8903f14955d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6901a6dea1486406729f6413f42e7e94

SHA1
b0157ac1317400fb31066b885e214d353e7bf635

SHA256
c203815239a9ccbe6ec292072c96dfebfa09098e53fbebc9f07524e9f3989e51

SHA512
723ae9ce9977b7bbe35405c4288a8d5eb5914b007901687a9b7dae14a7ee32fbabdf543e949bd29f679e5ec1cb43e9fc959dc3ddb6b50c30134c3c4dd905b2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.16.1\typosquatting_list.pb

Filesize
631KB

MD5
c3ec8bf0a625c2583833a3340825f1cb

SHA1
582054710a312897117128ed59ddadc983525eb6

SHA256
7d10e035e0b2e152a1fe32a92b0b34295a979f7db2269cfba69d4aaf3401b77f

SHA512
175125259eb39225d0584fa4e3c5cbfc66bd22646cf32677f0eb7514a0abeb2c08118375210a69207be85e6e7ebdd9b6fa9a967d3c4ecd40ecd514e306873c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
a31e23d3d0133c6382dbf7ef12eed4cb

SHA1
ce5d15c978f4bac384a0ff5a342f8f81fb11a0f3

SHA256
28a26777cf6bf3637a3d86567bd683f40b7f3f5d947117bf1ea29ba4abcd2369

SHA512
518943580ab0d3bd2b5bed0aff1bb7bc411f6cec860a19cc1c15f3a12d0d6767a56c5e447b2c4a7e9e14abb01e76f46853d71539995bab7ec4d4817a2e3bb586

Download Submit
C:\Windows\wotsuper.reg

Filesize
450B

MD5
42f073434559fb6b9c67aba86de89d1b

SHA1
9b969de41fc717353619068e46f21ec1db093ab5

SHA256
03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed

SHA512
b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

Download Submit
memory/1508-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-203-0x0000000000400000-0x00000000032DB000-memory.dmp

Filesize
46.9MB

Download