Malware Analysis Report

2025-01-18 21:39

Sample ID 240415-qm24tshf8x
Target f1278c614f4bcb17088e0194a3e15108_JaffaCakes118
SHA256 e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545
Tags
adware discovery persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545

Threat Level: Shows suspicious behavior

The file f1278c614f4bcb17088e0194a3e15108_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer upx

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

UPX packed file

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 13:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 4440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 151.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp
PID 1980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe

"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"

C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp" /SL4 $F0150 "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 52224

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""

Network

N/A

Files

memory/2212-1-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ISALC.tmp\is-95202.tmp

MD5 4fa180886ff7c0fd86a65f760ede6318
SHA1 2c89c271c71531362e84ddab5d3028f0756a9281
SHA256 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512 a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

memory/1980-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ETNCE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

MD5 57d7419e37e725840c910cb21ccf0adb
SHA1 b2a7b23acc8039311994933add224e72ee08a4a4
SHA256 7adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac
SHA512 e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc

memory/2212-19-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1980-20-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/1980-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe

"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"

C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp" /SL4 $8016E "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 52224

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 151.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/2156-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2156-2-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp

MD5 4fa180886ff7c0fd86a65f760ede6318
SHA1 2c89c271c71531362e84ddab5d3028f0756a9281
SHA256 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512 a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

memory/1684-13-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

MD5 57d7419e37e725840c910cb21ccf0adb
SHA1 b2a7b23acc8039311994933add224e72ee08a4a4
SHA256 7adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac
SHA512 e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc

memory/2156-15-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1684-16-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/1684-19-0x0000000002340000-0x0000000002341000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowController = "c:\\program files\\WindowController\\WindowController.exe" C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowController\is-03V98.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-KVQ47.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-3GRB9.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WindowController\del_bat.cmd C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-TAF32.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-NCT7N.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-ABGFQ.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File opened for modification C:\Program Files\WindowController\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A
File created C:\Program Files\WindowController\is-5D2PI.tmp C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID\ = "windowcontroller.windowcontroller" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA} C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid\ = "{F887887B-2D45-4998-9249-0ADE4BAD9EAA}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController Class" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\ = "WindowController" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\ = "windowcontroller Library" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR\ = "C:\\Program Files\\WindowController\\" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ = "C:\\PROGRA~1\\WIC173~1\\WINDOW~1.DLL" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32\ = "C:\\Program Files\\WindowController\\windowcontroller_v1.dll" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0 C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 1964 wrote to memory of 2152 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
PID 2152 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"

C:\Program Files (x86)\WindowController\WindowController_setup_06.exe

"C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "

C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp" /SL4 $40156 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""

C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp

_RegDLL.tmp 552 544

Network

Country Destination Domain Proto
US 8.8.8.8:53 counter.adncheck.com udp

Files

\Program Files (x86)\WindowController\WindowController_setup_06.exe

MD5 5f47cf5504f99f7a6a20ea11e393ed75
SHA1 081ba58a5a211efa949b6536b477b9f211f1a0ea
SHA256 a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b
SHA512 4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2

C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

MD5 3670ebb3297f13962c71489c50e5fc4a
SHA1 9b58125817e1ed3fafd54c89dcd8880b45e8d27f
SHA256 5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0
SHA512 99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714

memory/1964-16-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp

MD5 4fa180886ff7c0fd86a65f760ede6318
SHA1 2c89c271c71531362e84ddab5d3028f0756a9281
SHA256 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512 a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Program Files (x86)\WindowController\del_bat.cmd

MD5 569c447b88ee6ee87a0d575fc064c735
SHA1 c6d4a65b6ae7cd71d3d147de18623ea608fab20a
SHA256 ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c
SHA512 1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5

\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp

MD5 c594b792b9c556ea62a30de541d2fb03
SHA1 69e0207515e913243b94c2d3a116d232ff79af5f
SHA256 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

C:\Program Files\WindowController\windowcontroller_v1.dll

MD5 42fa974b082ae577576fe5d4116b0ea7
SHA1 f374a519c41c73e5e40f281d25ec91325ff8c103
SHA256 b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45
SHA512 60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48

memory/2544-55-0x0000000001F70000-0x000000000209C000-memory.dmp

\Program Files\WindowController\sqlite3.dll

MD5 89f0fd81f69f1a20ba0951d8694b4437
SHA1 f3c56f20cf8a6f6dd210b287b6a22210d252ec6b
SHA256 c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a
SHA512 51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd

memory/2152-61-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/1964-62-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowController = "c:\\program files\\WindowController\\WindowController.exe" C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowController\is-2I09V.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\is-U31JN.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\is-FUCKO.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\is-AU2B7.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\is-NMT1G.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\is-1Q1SM.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files (x86)\WindowController\del_bat.cmd C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files\WindowController\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File opened for modification C:\Program Files\WindowController\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A
File created C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe N/A
File created C:\Program Files\WindowController\is-U8FHN.tmp C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ = "C:\\PROGRA~1\\WIC173~1\\WINDOW~1.DLL" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\ = "WindowController" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32\ = "C:\\Program Files\\WindowController\\windowcontroller_v1.dll" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\ = "windowcontroller Library" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID\ = "windowcontroller.windowcontroller" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid\ = "{F887887B-2D45-4998-9249-0ADE4BAD9EAA}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA} C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0 C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR\ = "C:\\Program Files\\WindowController\\" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController Class" C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 2672 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 2672 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
PID 3032 wrote to memory of 932 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
PID 3032 wrote to memory of 932 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
PID 3032 wrote to memory of 932 N/A C:\Program Files (x86)\WindowController\WindowController_setup_06.exe C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
PID 2672 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp
PID 932 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp
PID 932 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"

C:\Program Files (x86)\WindowController\WindowController_setup_06.exe

"C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp" /SL4 $401D8 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""

C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp

_RegDLL.tmp 1212 1116

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 counter.adncheck.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 163.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Program Files (x86)\WindowController\WindowController_setup_06.exe

MD5 5f47cf5504f99f7a6a20ea11e393ed75
SHA1 081ba58a5a211efa949b6536b477b9f211f1a0ea
SHA256 a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b
SHA512 4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2

memory/3032-6-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp

MD5 4fa180886ff7c0fd86a65f760ede6318
SHA1 2c89c271c71531362e84ddab5d3028f0756a9281
SHA256 1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512 a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

memory/932-17-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

MD5 3670ebb3297f13962c71489c50e5fc4a
SHA1 9b58125817e1ed3fafd54c89dcd8880b45e8d27f
SHA256 5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0
SHA512 99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714

C:\Program Files (x86)\WindowController\del_bat.cmd

MD5 569c447b88ee6ee87a0d575fc064c735
SHA1 c6d4a65b6ae7cd71d3d147de18623ea608fab20a
SHA256 ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c
SHA512 1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5

C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp

MD5 c594b792b9c556ea62a30de541d2fb03
SHA1 69e0207515e913243b94c2d3a116d232ff79af5f
SHA256 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

C:\Program Files\WindowController\windowcontroller_v1.dll

MD5 42fa974b082ae577576fe5d4116b0ea7
SHA1 f374a519c41c73e5e40f281d25ec91325ff8c103
SHA256 b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45
SHA512 60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48

memory/1296-43-0x00000000021D0000-0x00000000022FC000-memory.dmp

C:\Program Files\WindowController\sqlite3.dll

MD5 89f0fd81f69f1a20ba0951d8694b4437
SHA1 f3c56f20cf8a6f6dd210b287b6a22210d252ec6b
SHA256 c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a
SHA512 51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd

memory/1296-47-0x0000000060900000-0x000000006096F000-memory.dmp

memory/1296-45-0x00000000021D0000-0x00000000022FC000-memory.dmp

memory/932-51-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/3032-52-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 13:23

Reported

2024-04-15 13:26

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 244

Network

N/A

Files

N/A