952b032de2c7d60459747c29546f5a6327803534e06a0e704c1147783b06e350

Analysis

max time kernel
86s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2023, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Size

2.3MB
MD5

d011cadd7194bfb7b3bcaa5b68bf3369
SHA1

32811e5155f00cc50e191d54334be9c9d8b67e8d
SHA256

952b032de2c7d60459747c29546f5a6327803534e06a0e704c1147783b06e350
SHA512

3b7c92bc1ab9d8ba63d31f0216fdf6ac2c4ced4812990263e7acee711b625da181b5be4c07ca35946802da5e6b33357397c23446926e5e34eb80f824b0548823
SSDEEP

49152:johTR5c9CsOBSGzJmdTd92PnLPaAU8Tnma8ohTR5c9CsOhZq:8THc9le1zJmdr2Dajmn9ZTHc9lz

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022dd8-133.dat	acprotect
behavioral2/files/0x0006000000022dd8-132.dat	acprotect
behavioral2/files/0x0007000000022dd1-139.dat	acprotect
behavioral2/files/0x0007000000022dd1-138.dat	acprotect
behavioral2/files/0x0006000000022df3-140.dat	acprotect
behavioral2/files/0x0006000000022df3-141.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4388	ISBEW64.exe

Loads dropped DLL 18 IoCs

pid	Process
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
4388	ISBEW64.exe
4388	ISBEW64.exe
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
4388	ISBEW64.exe
4388	ISBEW64.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files\\VID_0810&PID_0001\\company\\Twin USB Gamepad\\JOYPS.dll"	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	ISBEW64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files\\VID_0810&PID_0001\\company\\Twin USB Gamepad\\JoyFF.dll"	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	ISBEW64.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022dd8-133.dat	upx
behavioral2/files/0x0006000000022dd8-132.dat	upx
behavioral2/memory/376-134-0x0000000002860000-0x00000000029F7000-memory.dmp	upx
behavioral2/memory/376-135-0x0000000002860000-0x00000000029F7000-memory.dmp	upx
behavioral2/files/0x0007000000022dd1-139.dat	upx
behavioral2/files/0x0007000000022dd1-138.dat	upx
behavioral2/files/0x0006000000022df3-140.dat	upx
behavioral2/files/0x0006000000022df3-141.dat	upx
behavioral2/memory/376-146-0x0000000004E20000-0x0000000004EAE000-memory.dmp	upx
behavioral2/memory/376-147-0x0000000005090000-0x0000000005120000-memory.dmp	upx
behavioral2/memory/376-148-0x0000000002860000-0x00000000029F7000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\layout.bin	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\setu6e3b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JOYPS.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\_Set6e2b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\_Setup.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\layo6e1b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\data1.hdr	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\devc6e5a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\devc6e5a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\devcon.exe	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\setu6e2b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\ISSetup.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JoyF6e4a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JoyFF.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JOYP6e4a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYPS.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\data1.cab	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYP6e4a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyF6e5a.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyFF.dll	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\devcon.exe	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\data6e1b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\setup.exe	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\ISSe6e2b.rra	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\setup.inx	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\setup.ini	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\ = "USB Dual Vibration Joystick Property Sheet Support DLL"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\ = "Twin USB Gamepad Property Sheet DLL"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\ = "Twin USB Gamepad Property Sheet DLL"	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\ = "ISENG64Lib"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\ = "Twin USB Gamepad Force FeedBack Support DLL"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files (x86)\\VID_0810&PID_0001\\Company\\Twin USB Gamepad\\JOYPS.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcHandler32\ = "gchand.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files (x86)\\VID_0810&PID_0001\\Company\\Twin USB Gamepad\\JoyFF.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS\ = "0"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32	ISBEW64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0\\IsBE.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	ISBEW64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files (x86)\\VID_0810&PID_0001\\Company\\Twin USB Gamepad\\GaJoyFF.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcHandler32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files\\VID_0810&PID_0001\\company\\Twin USB Gamepad\\JoyFF.dll"	ISBEW64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files\\VID_0810&PID_0001\\company\\Twin USB Gamepad\\JOYPS.dll"	ISBEW64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcHandler32	ISBEW64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\ = "Twin USB Gamepad Force FeedBack Support DLL"	ISBEW64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}\ = "USB Dual Vibration Joystick Feedback Support DLL"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ = "C:\\Program Files (x86)\\VID_0810&PID_0001\\Company\\Twin USB Gamepad\\GAJoyPS.dll"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcServer32\ThreadingModel = "Both"	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5D-40D0-438A-B4C2-DE4522951071}\InProcHandler32\ = "gchand.dll"	ISBEW64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4FE8B5C-40D0-438A-B4C2-DE4522951071}	ISBEW64.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	3696	vssvc.exe
Token: SeRestorePrivilege	3696	vssvc.exe
Token: SeAuditPrivilege	3696	vssvc.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
4388	ISBEW64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4388	376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe	81
PID 376 wrote to memory of 4388	376	VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe	81

C:\Users\Admin\AppData\Local\Temp\VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\VID_0810&PID_0001 Twin USB Gamepad 64Bit Setup2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19029EFC-95DF-4EB9-BBDD-E11C590EED6E}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JOYPS.dll

Filesize
58KB

MD5
982fdf0a4ee8588d481021ff49c3f5ab

SHA1
b2af7474556fd27dbe4a6f550d852c88ae3c4bb5

SHA256
6d63a921e550ffdc7fb1574d7323bf3c670da2a53814236988b0e76948135133

SHA512
377a53f54fa487ed9ea31ccdb59f567a96c65cb4a5e41efc562968008b1ec5b2c618f5f102a86df4e6a9a7616a948816e8d49d10767ab3f5f4c9c8247d079c42

Download Submit
C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JOYPS.dll

Filesize
58KB

MD5
982fdf0a4ee8588d481021ff49c3f5ab

SHA1
b2af7474556fd27dbe4a6f550d852c88ae3c4bb5

SHA256
6d63a921e550ffdc7fb1574d7323bf3c670da2a53814236988b0e76948135133

SHA512
377a53f54fa487ed9ea31ccdb59f567a96c65cb4a5e41efc562968008b1ec5b2c618f5f102a86df4e6a9a7616a948816e8d49d10767ab3f5f4c9c8247d079c42

Download Submit
C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JoyFF.dll

Filesize
42KB

MD5
16537c9fb23151ec8a6e303c6f6a0ee4

SHA1
84cc8b7eb9e9c0b6fac3ff49425b42658c2e425a

SHA256
d1c830e55b710bb6f66a9178c95b0e3235ff1927fb4e577160b05fc6da5bde87

SHA512
63dfdcecdc5c2edd703fa4bedd59f4887be8a33c6f8608cc437dc68e9c5bb852e6fa0db7020c9b4e17ccdb71a8aa352c7d806363f97eb5711da4b9af070848b7

Download Submit
C:\Program Files (x86)\VID_0810&PID_0001\Company\Twin USB Gamepad\JoyFF.dll

Filesize
42KB

MD5
16537c9fb23151ec8a6e303c6f6a0ee4

SHA1
84cc8b7eb9e9c0b6fac3ff49425b42658c2e425a

SHA256
d1c830e55b710bb6f66a9178c95b0e3235ff1927fb4e577160b05fc6da5bde87

SHA512
63dfdcecdc5c2edd703fa4bedd59f4887be8a33c6f8608cc437dc68e9c5bb852e6fa0db7020c9b4e17ccdb71a8aa352c7d806363f97eb5711da4b9af070848b7

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYPS.dll

Filesize
79KB

MD5
67b559c01904760a095abf22561e68e5

SHA1
3ce8e1b78bffb6637adcf0242825a8ecbf5217eb

SHA256
bf23b0de818711af4c1c77cd004fd5ff20eeb45829673003e2ff1ded2fe83484

SHA512
ffbb6347f0ae6203d2e3383091b17c7865111652a8d4176321ef75aeb2196f25044b5ac3a0a3e66f5846e98043986937cf87d9549da709bb413f3f9e7a554acc

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYPS.dll

Filesize
79KB

MD5
67b559c01904760a095abf22561e68e5

SHA1
3ce8e1b78bffb6637adcf0242825a8ecbf5217eb

SHA256
bf23b0de818711af4c1c77cd004fd5ff20eeb45829673003e2ff1ded2fe83484

SHA512
ffbb6347f0ae6203d2e3383091b17c7865111652a8d4176321ef75aeb2196f25044b5ac3a0a3e66f5846e98043986937cf87d9549da709bb413f3f9e7a554acc

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYPS.dll

Filesize
79KB

MD5
67b559c01904760a095abf22561e68e5

SHA1
3ce8e1b78bffb6637adcf0242825a8ecbf5217eb

SHA256
bf23b0de818711af4c1c77cd004fd5ff20eeb45829673003e2ff1ded2fe83484

SHA512
ffbb6347f0ae6203d2e3383091b17c7865111652a8d4176321ef75aeb2196f25044b5ac3a0a3e66f5846e98043986937cf87d9549da709bb413f3f9e7a554acc

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JOYPS.dll

Filesize
79KB

MD5
67b559c01904760a095abf22561e68e5

SHA1
3ce8e1b78bffb6637adcf0242825a8ecbf5217eb

SHA256
bf23b0de818711af4c1c77cd004fd5ff20eeb45829673003e2ff1ded2fe83484

SHA512
ffbb6347f0ae6203d2e3383091b17c7865111652a8d4176321ef75aeb2196f25044b5ac3a0a3e66f5846e98043986937cf87d9549da709bb413f3f9e7a554acc

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyFF.dll

Filesize
57KB

MD5
c135522aa3b501e243d2776c314ac2c8

SHA1
adc4732a2c63d6301541a9bb26b8fecce08237b2

SHA256
31313e18a0e3789de0afa192d97583639099f70bef3b8fbe17f4f7bc1756949d

SHA512
318ca8913eb928f69403a78a744f97222e3e13db6780f76a6d0b8977dad1df80d5c11f23e6b2ed6443ccee4c6fe6c6c03efd6e317de6a3a2bc5d524c356f0cae

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyFF.dll

Filesize
57KB

MD5
c135522aa3b501e243d2776c314ac2c8

SHA1
adc4732a2c63d6301541a9bb26b8fecce08237b2

SHA256
31313e18a0e3789de0afa192d97583639099f70bef3b8fbe17f4f7bc1756949d

SHA512
318ca8913eb928f69403a78a744f97222e3e13db6780f76a6d0b8977dad1df80d5c11f23e6b2ed6443ccee4c6fe6c6c03efd6e317de6a3a2bc5d524c356f0cae

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyFF.dll

Filesize
57KB

MD5
c135522aa3b501e243d2776c314ac2c8

SHA1
adc4732a2c63d6301541a9bb26b8fecce08237b2

SHA256
31313e18a0e3789de0afa192d97583639099f70bef3b8fbe17f4f7bc1756949d

SHA512
318ca8913eb928f69403a78a744f97222e3e13db6780f76a6d0b8977dad1df80d5c11f23e6b2ed6443ccee4c6fe6c6c03efd6e317de6a3a2bc5d524c356f0cae

Download Submit
C:\Program Files\VID_0810&PID_0001\company\Twin USB Gamepad\JoyFF.dll

Filesize
57KB

MD5
c135522aa3b501e243d2776c314ac2c8

SHA1
adc4732a2c63d6301541a9bb26b8fecce08237b2

SHA256
31313e18a0e3789de0afa192d97583639099f70bef3b8fbe17f4f7bc1756949d

SHA512
318ca8913eb928f69403a78a744f97222e3e13db6780f76a6d0b8977dad1df80d5c11f23e6b2ed6443ccee4c6fe6c6c03efd6e317de6a3a2bc5d524c356f0cae

Download Submit
C:\ProgramData\InstallShield\ISEngine12.0\IsBE.dll

Filesize
52KB

MD5
9cf7faee57a20bf15a2fc9b423ebc512

SHA1
12cbf4d0a941bd5a8f847754fdaf4841e7751cce

SHA256
d34f26d85bfb94a5f017fdaf58b94ecf9553919d2aa9a9955ff0a2e3d7c11e4a

SHA512
44c715be4a98b9ce99c6d926500be3e365f8a08a4d8c85ae9342dc9ce76de29544f14acbf42d69f7f9e40ebdf0c6faa8cb5d4b3fc9d523479b12cf0823678672

Download Submit
C:\Users\Admin\AppData\Local\Temp\{16A4E244-AE0B-474A-8E7F-9DF09D38A68B}\Disk1\ISSetup.dll

Filesize
539KB

MD5
a06ed9fcd8f114e270aa64c46063d8c3

SHA1
e091914d4e2ba90e468ef4e13420bed24146bac6

SHA256
4663e033c1f188ed66d3c413064bfa104f6c307ed10a918afd2b8373130a779a

SHA512
46393550796bc8211ecd96e31ccb5bf65c437d6d1857d548dbd8836192aa6b299feefb617b59fc9c7a251cb259c6dc477f17d044d201621ad315b06db5749102

Download Submit
C:\Users\Admin\AppData\Local\Temp\{16A4E244-AE0B-474A-8E7F-9DF09D38A68B}\Disk1\ISSetup.dll

Filesize
539KB

MD5
a06ed9fcd8f114e270aa64c46063d8c3

SHA1
e091914d4e2ba90e468ef4e13420bed24146bac6

SHA256
4663e033c1f188ed66d3c413064bfa104f6c307ed10a918afd2b8373130a779a

SHA512
46393550796bc8211ecd96e31ccb5bf65c437d6d1857d548dbd8836192aa6b299feefb617b59fc9c7a251cb259c6dc477f17d044d201621ad315b06db5749102

Download Submit
C:\Users\Admin\AppData\Local\Temp\{16A4E244-AE0B-474A-8E7F-9DF09D38A68B}\_Setup.dll

Filesize
160KB

MD5
30ebd4e80b1dda05eac709a1dc5965b4

SHA1
2418232370026574baabc84b105f6dd9e458ad86

SHA256
8802e54ce01babf7bb22d0da5c83bebc5c05d0ccd73566a5f836690e9278a696

SHA512
5115afea66734fe53c9479a6569b7fbc1ef395432781367cd68c7f4878ca3884bad0a960f76db2a40314484f329c4288a6ecf4a93cc49642c5e412448c5a2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\{16A4E244-AE0B-474A-8E7F-9DF09D38A68B}\_Setup.dll

Filesize
160KB

MD5
30ebd4e80b1dda05eac709a1dc5965b4

SHA1
2418232370026574baabc84b105f6dd9e458ad86

SHA256
8802e54ce01babf7bb22d0da5c83bebc5c05d0ccd73566a5f836690e9278a696

SHA512
5115afea66734fe53c9479a6569b7fbc1ef395432781367cd68c7f4878ca3884bad0a960f76db2a40314484f329c4288a6ecf4a93cc49642c5e412448c5a2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\_IsRes.dll

Filesize
120KB

MD5
e54601d8a464a455de081d63d4b7927d

SHA1
0ff6da399c123394cca3b4cc64a41d8037787b73

SHA256
1e154a29673d129414ab56b995d04afcfa1a02af47dabaa28cd11c25f7d6026a

SHA512
5a213430fb8dc6a19c24122f8d9cd03479ee7ae421eac77d1026f16bf520a1f113d43380e2a60d5f0133e09aa7ad323a7ef9d1cccc3eea1e905f09701b118e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\_IsRes.dll

Filesize
120KB

MD5
e54601d8a464a455de081d63d4b7927d

SHA1
0ff6da399c123394cca3b4cc64a41d8037787b73

SHA256
1e154a29673d129414ab56b995d04afcfa1a02af47dabaa28cd11c25f7d6026a

SHA512
5a213430fb8dc6a19c24122f8d9cd03479ee7ae421eac77d1026f16bf520a1f113d43380e2a60d5f0133e09aa7ad323a7ef9d1cccc3eea1e905f09701b118e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\isrt.dll

Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B6C9BBF7-5177-49F4-9D5D-C2A3E8D845D4}\{0AD1F05D-15F6-476D-A3BE-E3D5E3E0E023}\isrt.dll

Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
memory/376-147-0x0000000005090000-0x0000000005120000-memory.dmp

Filesize
576KB

Download
memory/376-135-0x0000000002860000-0x00000000029F7000-memory.dmp

Filesize
1.6MB

Download
memory/376-154-0x0000000005260000-0x000000000526E000-memory.dmp

Filesize
56KB

Download
memory/376-146-0x0000000004E20000-0x0000000004EAE000-memory.dmp

Filesize
568KB

Download
memory/376-167-0x0000000005260000-0x0000000005279000-memory.dmp

Filesize
100KB

Download
memory/376-134-0x0000000002860000-0x00000000029F7000-memory.dmp

Filesize
1.6MB

Download
memory/376-148-0x0000000002860000-0x00000000029F7000-memory.dmp

Filesize
1.6MB

Download
memory/376-151-0x0000000005260000-0x000000000526E000-memory.dmp

Filesize
56KB

Download
memory/4388-165-0x0000000001E90000-0x0000000001EA3000-memory.dmp

Filesize
76KB

Download
memory/4388-166-0x0000000001E91000-0x0000000001E9E000-memory.dmp

Filesize
52KB

Download
memory/4388-160-0x00000000005F1000-0x0000000000602000-memory.dmp

Filesize
68KB

Download
memory/4388-159-0x00000000005F0000-0x0000000000609000-memory.dmp

Filesize
100KB

Download
memory/4388-169-0x00000000005F0000-0x0000000000609000-memory.dmp

Filesize
100KB

Download
memory/4388-168-0x00000000005F0000-0x0000000000609000-memory.dmp

Filesize
100KB

Download