Malware Analysis Report

2025-04-14 08:09

Sample ID 250327-eryresxsgy
Target sample2.exe
SHA256 361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20
Tags
raccoon vidar 651 discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20

Threat Level: Known bad

The file sample2.exe was found to be: Known bad.

Malicious Activity Summary

raccoon vidar 651 discovery spyware stealer

Vidar family

Raccoon family

Raccoon Stealer V1 payload

Vidar

Raccoon

Vidar Stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads local data of messenger clients

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs .reg file with regedit

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-27 04:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-27 04:11

Reported

2025-03-27 04:11

Platform

win7-20240903-en

Max time kernel

16s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

Raccoon family

raccoon

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
File opened for modification C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
File created C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wotsuper.reg C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8528E0E1-0AC1-11F0-B594-F245C6AC432F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84F482A1-0AC1-11F0-B594-F245C6AC432F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2400 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2400 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2400 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
PID 2400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
PID 2400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Windows\SysWOW64\regedit.exe
PID 2400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Windows\SysWOW64\regedit.exe
PID 2400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Windows\SysWOW64\regedit.exe
PID 2400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Windows\SysWOW64\regedit.exe
PID 2400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2220 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2220 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2220 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2220 wrote to memory of 2776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
PID 1996 wrote to memory of 2216 N/A C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sample2.exe

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Ldta7.html

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1smEq7.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe

"C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 manillamemories.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp

Files

\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

MD5 7b20f5c61780fe383f45ca6e18ed5a6a
SHA1 bc9bfd59f0cde312cd9a0d20784887fed9b8c836
SHA256 26ccbcb079b3f0cc183293351c40da3146d2ddec9b4d6cd314090cfab94834df
SHA512 8a63f6ad20fe18bd49d055ae05bc81fe30d0ebfb25a37428b17b43569b53bf2560f0de8f993f62a2f5d458db78e6d24ad71fca8d7fd1133d3cb499dff356e68b

\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

MD5 b8181cb72764c24e73c7b6204b16bed6
SHA1 c430cc4776ff5e21d08bca9a0d73cfaf29108fa4
SHA256 fdb5a0d4e97ee36d2b23605b0d8a2785d08d046058f07a8714e4908e8a2485a2
SHA512 bd63970b846bfdc6990b803e12028c692bc3f3125df03c3b9ec4626e1ce56dc43313d37c71337868ade0e4da31a5eca971b453242829b7312eb7efd2a407de1d

memory/2400-37-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8528E0E1-0AC1-11F0-B594-F245C6AC432F}.dat

MD5 d5739fb71130d24857bf88d5c1929f57
SHA1 7e1febab7463073342ef2ff662ef6ba2b94c4c90
SHA256 16b5b90c55be8d0e9fa6cd25c66dc992dbd6c2f4a372a2a93774f33fd59a2278
SHA512 d162bc3128fa5217e83aee28f331c878cc5b69e60a28dd4d68cbf62013b868f6fe86f6c6d580c2183ac4e5cd6eb2ea44f6a3494d6a27fd8c2d321f7662e72241

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84F482A1-0AC1-11F0-B594-F245C6AC432F}.dat

MD5 420041a47d82fffc3623707efc571fac
SHA1 27acd54ab2259f05f985541bfccb9232d5075e88
SHA256 33f8c27f1710fdd72705ad51d4329c2a6f1e9fcc99aafc1c4d33286a3109d147
SHA512 adc0cd4d092f27efc1c401a868fbd66fd47da10ebd9e7a04ed669c7f5eb052a5c220cbef35ecc0a991e56db941697ac0c3fa883576cce5cde8863e9e7352609f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 e275707e4b3f1d4702134a322304d726
SHA1 91ef05943ffe70ece3280d9d62c8c026f9f27bf3
SHA256 6682d8c5cbafcb51b481c27e4cc10f1c28f235d8f53e78fcfaff9b4b5492b5b7
SHA512 266a0558d4e07473c16f82f6b8ce8ab1fea06ae9d6622e68e34ddc2d8e6b26ecb0b97cfc081361090625c0641d41ab06620d96688e0f4bf28c38b05d0d5176aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 c9be626e9715952e9b70f92f912b9787
SHA1 aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256 c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA512 7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 3140f218925968b657788c51b61faaed
SHA1 e9a572e4da0d5e17bbd5e040ae524292531703b8
SHA256 c8f6ec150d4c41eaa829dcbe52a4c49bcc453e7b0a627663901a506f994a39f1
SHA512 41ae6d409924186e3d57d726b33a378910980b6a7d5218a99a3c3ec34cf2d4c6d19f4a0e415dd02bd2fd8bb5e5015dbb557e141a9702400cf5df2554512225c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 87eb2d7fe3cfe4f6f794c2dfdd719b67
SHA1 6caf30d27754b139d87469cb68c5dddd02d68ab7
SHA256 c8128110799881e556ab0d717b02d254abf2d064d1955cc33fd65540bdad383d
SHA512 11d87cb231b2ea7b664ae59176efaa820e9d34eea1faf9dd387a17d88fd4da2f75251690ea956fdd81e148d2059d0f1d387aa0ee14bbf38c32e422f4aeb72c8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\Local\Temp\CabAD40.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAD43.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3OKUXRSJ.txt

MD5 c74f872e766ec4e84837c773f7ec8581
SHA1 d83dbb7dd88f0f79a0d9c24b9c1fc7e1c118c8ec
SHA256 f3d1b0783b1807f981e24867a61f6f3b3e8f6a3ca72f4645e359e8f533cbf8cc
SHA512 0c08779e1e5d5c432b8ca7a58fad3968aa544a0ffc78292834938d2562b7002e11590bc949af29a1a4ae1af434acca93aa01da3fc96ac99b7c3127ec03f33aa1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y4QSIHY6.txt

MD5 4af08338f53ceb156cd3c294faa15421
SHA1 0e0149739aded8b722789e98e820aebe3d0d5d7a
SHA256 b86f0416cf7fd1136744550c824ff7633b9d65c876b264cc8450f602b8a0ff33
SHA512 cbb7c87877c0421f4aaa5f78ebc9a60e94936f58bef9d297e23b220a7a6e29641fd164c0a34524d34e985ce000f817e53c7c0438dfbbd8365fa6dc650967e1a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

MD5 a530f3fa81c975d1979c2f08701be352
SHA1 11f4dcda39e35dd1a54fa18ff166203748476458
SHA256 8c078dde209e1f8f804d7f33381d4e52d382280fc21c9fef0f3eae8b07a81242
SHA512 b5b8a960a0136868f68b6344dfa5dd2be8ba0d93a9eb12c5f26e4e2e36d06ad5319262efdbfc0fbcbd18c0606273e1028392a6716de52b69c0361066e7874111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarC3C6.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203c80a9b8a17016332cf60719e26829
SHA1 44565c3cc822be52e859b6f92209959dbd3978f2
SHA256 88dd8690a2c4d46843b5e62b0c8ccc37c022c844adfd1ad60cb0b8c2d82a1fd5
SHA512 37a10680f1e7168afbc24453c76118378bc81488067fc42d3cf0aa53d2f7d1393629e90ff88047aece4fb8b20869f9c58cfe5f9e0471b81457fbaa40d83658b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9ac1ad0ad8c5f129466e388fecc0e1c
SHA1 914e32d07a180325d74bfdebc1c2088e4529653a
SHA256 20db991db757462898ba71300263a692eb7493413e02302d1a11553d9969693c
SHA512 a5e68c3c177d1aed51f3dfa1cc5e67afef0e97c17b82c2be747b49d0a6432b7b5a0a187a199c571fae656b505aade5e62406e47950d3c7974afaacf0d1b5c12f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbd116a43b540ae9c15e198ba2dea9f0
SHA1 b5b884dd1748f427f611ef2979bf5362dae009df
SHA256 7d52b462dedca39492c63a9e4c5f3ab457cc2d923cb4c5327c4274298da8de42
SHA512 4cce259c31395fb6327f06cb3ed48d58002ad1cc265f682d5b5df06ec85b034c629e0a95550622fb8af9e1e62ca8bc9a1ebf8bb75f608f8eeb4685cac7044ba6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a341c8b3c9b9cc5102516b96fd3e10e3
SHA1 81064e5140b4ea6ced1220a6b75eb51f740beb7d
SHA256 eff86a73411c6a71096f5e3e5315630b7b745ae0b6e5d30b142e20d247cb7e3c
SHA512 2b56e16738ceb6da379c0d5f7c6a95599885027ee2f5f6ad3787943cd9da9d01427c613e611a132d02625d5883ae23e74f0d985b6ed8e8eaec62792bb069b687

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30afdfce8b92d0cca0f0d21b9543e964
SHA1 1cc33cf3f20066726ccf85c81ad37b09c1fc303b
SHA256 d2cd234c59089b6d280d2958a4091bf6e7d53709ae8b79d26f1bf740830f3b24
SHA512 ffd9c084c8580f0077755779cf76cd22c0647974f05b17ccf1a466c49b0b746a47552a73e463f2757eeea901c50d37e97064342cdc45bcb52f61018f1dabb993

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83dd1d1884226730ce398f6d423ae539
SHA1 c9e82ffcea1e586206858718f69dcb7022d88fef
SHA256 aedefd912f99a9abe79730b99fcd47683af172eca6beb232af624c9e01e47327
SHA512 dbc687a73472ecd89b52d3205f170c97fc242089a09e31a02286980915c879582cb4f1d332f9bfe2afb9ccfb990b024f8e55b59b3668f5c06646e20d34bb29c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89d1ffa7152ae44a9bdec230bb3ef776
SHA1 9858bf750b42db79f96dc6bd9623731d2d3685aa
SHA256 659fab5e1be19a062e1551a86c381ba2386051683ece0df1b62d7e166b6a52d7
SHA512 9cc38d814134f87c49fb258ca6c169b9e037fe201077f2626fbd65e5555416b15327c8c0b1a6e9e1c00269d2862a63c685cddb36a0dcff43ffb4281801219e88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6911e3c0752cf2221d52611c110cf46
SHA1 4e3b6cde288eab351e2a6dbb5aa5cab45720e0f5
SHA256 2c94fdf1888bd1b0371f2dc62fcab2deb269dc6043035abc6281dc30784caaa9
SHA512 19d1674a7329cb5a26e655b3507389a647ab754bc57a4f231b3006046c8ad1e2bc37f14a9b384a40bdc1a19dea289d5b93fd85e6c225b658bbd8446678f9d64e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4b16db5b847f9ce66f4e4a266c77486
SHA1 f2b14014179f802d5df535f06c694a95c5de5bf4
SHA256 da5642cdbefe84a4e3c7254a67a6914f0bdf3c7c84bb25c429dad6fd7e844a3d
SHA512 2527735bae955434a11931962a962f3f59485f3209f091b1bc281d08fb7b4470553ae49bf283731b61867a8779e27bda823d5c580a5afd9f0d53d07a71240008

memory/2088-603-0x0000000000400000-0x00000000032DB000-memory.dmp

C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe

MD5 4bf51a81f50e12aafccf29671bb32576
SHA1 7fd25a2555d83e87435e1b437fe00d3ef637d010
SHA256 1eb5f96e9c12d3c81c2647791a0db9a99570101672e869cf85e82d3f3b3a307f
SHA512 7bfabf8561fd1e3d044d1041537fe832d9190e3e62b27747f88052b78022aee80b03595849a45541b89a7ad3ffad9b38e976b07fcb4c1ca858d0149a7de6c29d

memory/1996-612-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini

MD5 92e260d1958984d7dd9cbdbf82b6f1b0
SHA1 3ccafdc16d38af14683e2c8dcc026cc952340d60
SHA256 160c289f80760947c5d2067f65f92502e817601fc15bfdfaf46cdea00ac1a76f
SHA512 3f07618d45588fa58a8965a6bceef5344787f2a3c52f3714f82636d40239f313e649abbc8700e4f50d63ed3b52e3e6e161b79ec8a405116ece1042184c5420ca

C:\Windows\wotsuper.reg

MD5 42f073434559fb6b9c67aba86de89d1b
SHA1 9b969de41fc717353619068e46f21ec1db093ab5
SHA256 03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512 b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

memory/2216-724-0x0000000000400000-0x000000000041F000-memory.dmp