af7958e4d88f2a8efc868d059d56dd485f17e44b5c172b7d9d49a421d442db2e

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2023, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DroidJoy_Setup_x64_2.1.0.exe
Size

5.7MB
MD5

a697a9e770a8df117bee81b94f75376f
SHA1

4e40e9984fd8a38112a83ef9b7e2982970dd75bb
SHA256

af7958e4d88f2a8efc868d059d56dd485f17e44b5c172b7d9d49a421d442db2e
SHA512

82738024cec6c17d4a4030205af7639ed4e257bc5bc7584ede13b496d066ccc44885eb83ae90fef408e472070cd184896af64b917e93a4406373ae5fcce68543
SSDEEP

98304:oYMAdmQb4pjqsmrhmdskCSy+wFtVR/sfcyt+iLuEjmADD0fYxSgIzkfCBiAY2nx:9MLQ458hmdskCSNwLWcxiUADvxnfEi+x

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET40EC.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET40EC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\ScpVBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\xusb22.sys	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
2236	DroidJoy_Setup_x64_2.1.0.tmp
4160	devcon.exe
2764	devcon.exe
1496	DroidJoyServer.exe

Loads dropped DLL 4 IoCs

pid	Process
2236	DroidJoy_Setup_x64_2.1.0.tmp
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	DroidJoy_Setup_x64_2.1.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DroidJoyServer = "\"C:\\Program Files\\DroidJoy Server\\DroidJoyServer.exe\""	DroidJoy_Setup_x64_2.1.0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET197F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET197F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\ScpVBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\scpvbus.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scpvbus.inf_amd64_0753931c84d85377\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scpvbus.inf_amd64_0753931c84d85377\ScpVBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\xusb22.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET1930.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET1930.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET19AF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\ScpVBus.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\scpvbus.inf_amd64_0753931c84d85377\scpvbus.PNF	devcon.exe
File created	C:\Windows\System32\SET40FD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET19AF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scpvbus.inf_amd64_0753931c84d85377\ScpVBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scpvbus.inf_amd64_0753931c84d85377\scpvbus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\SET40FD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET19B0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\SET19B0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}	DrvInst.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File created	C:\Program Files\DroidJoy Server\is-49BCD.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-P9UAU.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-97BJ2.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\GalaSoft.MvvmLight.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\Hardcodet.Wpf.TaskbarNotification.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\msvcr120.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-QJSO9.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-74U3H.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-19C06.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-EDKBD.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\unins000.dat	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-NCK7G.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-08S95.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-R2AE7.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\unins000.dat	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-A6QE2.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\msvcp110.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-823KQ.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-6F8GQ.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\System.Windows.Interactivity.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-1T410.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-JHODS.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-V8EP8.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\InTheHand.Net.Personal.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-M9V5K.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-BIAD2.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\Microsoft.Practices.ServiceLocation.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\WdfCoinstaller01009.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-76D3E.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-NOA1P.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\devcon.exe	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-N6T7V.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-E9PHP.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-CIOKM.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\msvcp120.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\vGenInterface.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-OO2NN.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-Q3LVL.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\vGenInterfaceWrap.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-3F167.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-S6V5B.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\LBIndustrialCtrls.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\msvcr110.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\mscorlib.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\vJoyInstall.exe	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-M7JDJ.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\DroidJoyServer.exe	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\GalaSoft.MvvmLight.Extras.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\NLog.dll	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\TaskDialog.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-PK8GO.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-T1S87.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-U837N.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\vJoyInstall.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-BQKSN.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-359J6.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File opened for modification	C:\Program Files\DroidJoy Server\FontAwesome.WPF.dll	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-7AMMT.tmp	DroidJoy_Setup_x64_2.1.0.tmp
File created	C:\Program Files\DroidJoy Server\is-P8KGM.tmp	DroidJoy_Setup_x64_2.1.0.tmp

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	DroidJoyServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	DroidJoyServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	DroidJoyServer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DroidJoyServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DroidJoyServer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	DroidJoy_Setup_x64_2.1.0.tmp
2236	DroidJoy_Setup_x64_2.1.0.tmp

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeAuditPrivilege	3476	svchost.exe
Token: SeSecurityPrivilege	3476	svchost.exe
Token: SeLoadDriverPrivilege	2764	devcon.exe
Token: SeRestorePrivilege	5100	DrvInst.exe
Token: SeBackupPrivilege	5100	DrvInst.exe
Token: SeRestorePrivilege	5100	DrvInst.exe
Token: SeBackupPrivilege	5100	DrvInst.exe
Token: SeLoadDriverPrivilege	5100	DrvInst.exe
Token: SeLoadDriverPrivilege	5100	DrvInst.exe
Token: SeLoadDriverPrivilege	5100	DrvInst.exe
Token: SeRestorePrivilege	1376	DrvInst.exe
Token: SeBackupPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: SeLoadDriverPrivilege	1376	DrvInst.exe
Token: 33	3788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3788	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2236	DroidJoy_Setup_x64_2.1.0.tmp
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe
1496	DroidJoyServer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2236	2188	DroidJoy_Setup_x64_2.1.0.exe	83
PID 2188 wrote to memory of 2236	2188	DroidJoy_Setup_x64_2.1.0.exe	83
PID 2188 wrote to memory of 2236	2188	DroidJoy_Setup_x64_2.1.0.exe	83
PID 2236 wrote to memory of 2168	2236	DroidJoy_Setup_x64_2.1.0.tmp	100
PID 2236 wrote to memory of 2168	2236	DroidJoy_Setup_x64_2.1.0.tmp	100
PID 2168 wrote to memory of 4160	2168	cmd.exe	102
PID 2168 wrote to memory of 4160	2168	cmd.exe	102
PID 2236 wrote to memory of 2984	2236	DroidJoy_Setup_x64_2.1.0.tmp	103
PID 2236 wrote to memory of 2984	2236	DroidJoy_Setup_x64_2.1.0.tmp	103
PID 2984 wrote to memory of 2764	2984	cmd.exe	105
PID 2984 wrote to memory of 2764	2984	cmd.exe	105
PID 3476 wrote to memory of 3680	3476	svchost.exe	108
PID 3476 wrote to memory of 3680	3476	svchost.exe	108
PID 3680 wrote to memory of 4068	3680	DrvInst.exe	109
PID 3680 wrote to memory of 4068	3680	DrvInst.exe	109
PID 3476 wrote to memory of 5100	3476	svchost.exe	111
PID 3476 wrote to memory of 5100	3476	svchost.exe	111
PID 2236 wrote to memory of 1496	2236	DroidJoy_Setup_x64_2.1.0.tmp	113
PID 2236 wrote to memory of 1496	2236	DroidJoy_Setup_x64_2.1.0.tmp	113
PID 3476 wrote to memory of 1376	3476	svchost.exe	114
PID 3476 wrote to memory of 1376	3476	svchost.exe	114

C:\Users\Admin\AppData\Local\Temp\DroidJoy_Setup_x64_2.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\DroidJoy_Setup_x64_2.1.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\is-52AR4.tmp\DroidJoy_Setup_x64_2.1.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-52AR4.tmp\DroidJoy_Setup_x64_2.1.0.tmp" /SL5="$70208,5588180,401920,C:\Users\Admin\AppData\Local\Temp\DroidJoy_Setup_x64_2.1.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C devcon.exe remove Root\ScpVBus
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files\DroidJoy Server\devcon.exe
      devcon.exe remove Root\ScpVBus
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4160
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C devcon.exe install ScpVBus.inf Root\ScpVBus
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files\DroidJoy Server\devcon.exe
      devcon.exe install ScpVBus.inf Root\ScpVBus
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Program Files\DroidJoy Server\DroidJoyServer.exe
    "C:\Program Files\DroidJoy Server\DroidJoyServer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\scpvbus.inf" "9" "4b5cfab93" "0000000000000150" "WinSta0\Default" "000000000000015C" "208" "c:\program files\droidjoy server"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{a0b5e5f7-3e9c-2748-9fec-e047dbcc1644} Global\{38913358-964a-904e-8565-146f715f65d7} C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\scpvbus.inf C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\ScpVBus.cat
    3⤵
    PID:4068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88487555a35:ScpVBus_Device:9.11.9.337:root\scpvbus," "4b5cfab93" "0000000000000150"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "USB\VID_045E&PID_028E\0000001" "" "" "4c8dd300b" "0000000000000000"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x34c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\DsmUserTask.Exe
DsmUserTask.Exe N{CD5234F2-19A2-11EE-84C0-EE28015B3527}
1⤵
PID:3488

C:\Windows\system32\DsmUserTask.Exe
DsmUserTask.Exe C{CD5234F2-19A2-11EE-84C0-EE28015B3527}
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DroidJoy Server\DroidJoyServer.exe

Filesize
1.1MB

MD5
4bcde3fd8d4eec23240daef902b3d6d9

SHA1
bcc163e262dc4345e74c785fa76cd36966aed536

SHA256
475d8e051c9a98accda3429307f76afdb169eba5fba8915322a9f5df184a0983

SHA512
ef5c00c28ef59f28ccd69cb48f49d573b1fa8acb2133ce447b2fccc258e0dc763f43a7a44bace744623579609a09b40f2e4457630e2373a4314fd125573dcf25

Download Submit
C:\Program Files\DroidJoy Server\DroidJoyServer.exe

Filesize
1.1MB

MD5
4bcde3fd8d4eec23240daef902b3d6d9

SHA1
bcc163e262dc4345e74c785fa76cd36966aed536

SHA256
475d8e051c9a98accda3429307f76afdb169eba5fba8915322a9f5df184a0983

SHA512
ef5c00c28ef59f28ccd69cb48f49d573b1fa8acb2133ce447b2fccc258e0dc763f43a7a44bace744623579609a09b40f2e4457630e2373a4314fd125573dcf25

Download Submit
C:\Program Files\DroidJoy Server\DroidJoyServer.exe

Filesize
1.1MB

MD5
4bcde3fd8d4eec23240daef902b3d6d9

SHA1
bcc163e262dc4345e74c785fa76cd36966aed536

SHA256
475d8e051c9a98accda3429307f76afdb169eba5fba8915322a9f5df184a0983

SHA512
ef5c00c28ef59f28ccd69cb48f49d573b1fa8acb2133ce447b2fccc258e0dc763f43a7a44bace744623579609a09b40f2e4457630e2373a4314fd125573dcf25

Download Submit
C:\Program Files\DroidJoy Server\DroidJoyServer.exe.config

Filesize
1KB

MD5
b708059b94ee4bbfd81151459a5e54f5

SHA1
94289230894b98f39f8f0fab16633c26c02502de

SHA256
b73bfbd62f900eef76ee36b0f078d4438affe3c3db193a8f37b112c9b58519f5

SHA512
486e67efa59d5d73fbaaa7835aa6e6972bfb083291dc179ac0a9eaefebd19b05c29d7a5e932f3e76ad3e46c6b528980504daae54cbd2799a8866ba5a268e78fe

Download Submit
C:\Program Files\DroidJoy Server\FontAwesome.WPF.dll

Filesize
204KB

MD5
2ace85429eee9e8320c82d878e5562b4

SHA1
77ed8b89210930d1de2495ba363519b696d0b6e2

SHA256
63d50dbe094bbce5d7bf8af08c0d919cfa5e057ca05ae7b27704a8477c8b348f

SHA512
7ce3467d1469acdb544f4f42864d94c5ae0ada252c5f096329e16d4b571fc1800bd572e52cfe902ee5d4b91d59a1a4182b07f40b7a4dfe54e338ca46684af989

Download Submit
C:\Program Files\DroidJoy Server\GalaSoft.MvvmLight.Extras.dll

Filesize
21KB

MD5
43312122af66a3e99cf2f9c597012c22

SHA1
634d4c39a874eddd4a733c4548c37ffb0d2f467b

SHA256
8e248e95e6dc65317af9caaf6a43091d5cb75fd1302bae0a49dea821fa21dc8e

SHA512
2a73b9df94f219a2b8ddf54a7d1b176bb79fbae346ac8b30e3df82cb8c604c681960fd8208d68d30ca66ce4de9f9963b789d3105402d899fd930a4831bee2ee3

Download Submit
C:\Program Files\DroidJoy Server\GalaSoft.MvvmLight.dll

Filesize
28KB

MD5
b349a5c9165cbb8663f82c31f9402d35

SHA1
e8b38649c05408da796e2dc21e699ca8352a059f

SHA256
60ffbd8a891acbe1adbe79d320806a32ae826575f5218a51379ffc83f03f62a7

SHA512
377c0c88f0febf3dbb4786ce823aa2cf2b85f55a654d9f3d10a44480a9f9b726a08bb2c03b190473f4f461824ecdcf0feb9af098d4840952a2accbc197e89e6e

Download Submit
C:\Program Files\DroidJoy Server\GamepadSettings.xml

Filesize
6KB

MD5
af10ed580fdabe84ad13d9f2ac0a964c

SHA1
ebcfd2108988c8f5efd1076a3bc10ec1c6461a13

SHA256
475c23ba93540aa1f621e61a4bcd8781fe0ff730538701405520a91a653d30e5

SHA512
db2c68430bdb92602c5e7959e253092eba19e60086d52cebf303690dca8e07756d6a521fddfa2484b36f0945636aec8c29d08fefbc8503858813e905e571840c

Download Submit
C:\Program Files\DroidJoy Server\Hardcodet.Wpf.TaskbarNotification.dll

Filesize
44KB

MD5
6f8d41be2ab322e1f13f4d5dc2207e0c

SHA1
474ceae7deea206dc66d0a2324d0c32323124cb6

SHA256
5d91629e82f4f0eee5832f0a21cf46b4f29eca5bffad29268e8209e917af4d07

SHA512
29afa65cd4b943cff011ea3cab88db45a4a89aeed1b3c6e878a2816188cbd81eee723bc25737c43429a8f6414e1f090258f86f3f60a062b8ce7b3b1cdd695799

Download Submit
C:\Program Files\DroidJoy Server\InTheHand.Net.Personal.dll

Filesize
421KB

MD5
c2a77547f66f8aff1a0b436f4ec0846b

SHA1
7741ac9c5af73e4d135b9fae06031784e4ece495

SHA256
e06795b4337771504bfa6a3b5d7cb8307bba00c7baa2b061d4cd224207e0d3ba

SHA512
69ba135beffeeb159064f84c408ef10a89be4eb1eda97be23e95d7edbc9c1bdacdd98a0f7e9ad80a8495bd7f7c165e1e2b054e757d0bf9b5b67147827494e71b

Download Submit
C:\Program Files\DroidJoy Server\Microsoft.Practices.ServiceLocation.dll

Filesize
17KB

MD5
92a533be83b7fa43a1b18f009a7d450b

SHA1
e9ac62ebb0643bffb243d889c535a8abcd1ba52a

SHA256
34005d6a80434542780c6d192e6abd07bea49b2eeb7e43fbfdfe90c2889986e5

SHA512
b7ae35d9ab96c51b50998b46b8e73ba61bfc01812853c870872a18a3aa986db8a66d3b8e173e1d7dd58097c07b07afb64e5297b4b894b8fa1bf565773856a491

Download Submit
C:\Program Files\DroidJoy Server\NLog.dll

Filesize
590KB

MD5
f777533e9c54a5b5aeefd8353659fbfc

SHA1
2a0d9aff4a0b3a8e13ad0e3f3d659194e9d3bc72

SHA256
7164dae2b677907dd9f9ef37147bc2571d0a954a5c5a00f047c7f5c1c1b99de8

SHA512
85ce75b14b585bd8b37aedab6b0b3fe01c56b1de4ee0b507fe8fff7292c76ecfd8bd7519b6d6e98aa549f3394c628caf5b98ed78d4eccb4f1b5f0fc094fc4c4c

Download Submit
C:\Program Files\DroidJoy Server\ScpVBus.inf

Filesize
2KB

MD5
d37a243b454157f12044ace6bb4254b5

SHA1
1efb193e444107b52d28d79c041f5b51a694905e

SHA256
fe787cf8886bf543c3d95dad461667c166847e8b9f7597c54f6632a5267f3ced

SHA512
6131fab07731e5564e8567cbcdcac6f285040ac0c3ddb9ce7fe210c50bdd7179700d24b429492887d1f0f7552a67822eca71b39bddef1463370e5af7c4da7343

Download Submit
C:\Program Files\DroidJoy Server\devcon.exe

Filesize
80KB

MD5
7920632d06bda4f19f4815232796fd24

SHA1
0dbc86019e7b49eab75e70e3be07e6e78a41d3dd

SHA256
f4225d077a71787e8b98ed2e649aae8af1ae5c92e82414b59f71c9dd1784e729

SHA512
09eefce4be893c756b18a3044ee1b7a4207f9235e1be765e2f598e10ad962d18c6588bf3a44bb0d629f4c92f84b076da33292a2faa334a5380dee867a37fdf91

Download Submit
C:\Program Files\DroidJoy Server\devcon.exe

Filesize
80KB

MD5
7920632d06bda4f19f4815232796fd24

SHA1
0dbc86019e7b49eab75e70e3be07e6e78a41d3dd

SHA256
f4225d077a71787e8b98ed2e649aae8af1ae5c92e82414b59f71c9dd1784e729

SHA512
09eefce4be893c756b18a3044ee1b7a4207f9235e1be765e2f598e10ad962d18c6588bf3a44bb0d629f4c92f84b076da33292a2faa334a5380dee867a37fdf91

Download Submit
C:\Program Files\DroidJoy Server\vGenInterface.dll

Filesize
376KB

MD5
daba16b3eba5ecc4dea5c6321bbb8c5f

SHA1
11c51b70b2644a72b6449165b7364af828af9236

SHA256
e870455286ed0f065706102bff5bed15fb524b221566276d8a457e66f05eaf08

SHA512
f01fa3cfcf4ffbf970bc7d558a0796e88fe8e643a856d02b69999f56417b9ca6e87ee7041d3c9208542afb333dc6d60c636f483d677ae3902294876a4efa3ed5

Download Submit
C:\Program Files\DroidJoy Server\vGenInterface.dll

Filesize
376KB

MD5
daba16b3eba5ecc4dea5c6321bbb8c5f

SHA1
11c51b70b2644a72b6449165b7364af828af9236

SHA256
e870455286ed0f065706102bff5bed15fb524b221566276d8a457e66f05eaf08

SHA512
f01fa3cfcf4ffbf970bc7d558a0796e88fe8e643a856d02b69999f56417b9ca6e87ee7041d3c9208542afb333dc6d60c636f483d677ae3902294876a4efa3ed5

Download Submit
C:\Program Files\DroidJoy Server\vGenInterfaceWrap.dll

Filesize
16KB

MD5
d3538730c177827c5fbed546b44d14b9

SHA1
56c26e2c4470dc8014e47828fda3025b415d5a5b

SHA256
53e07115e6550cc0479e0a8075cc22602c97e064a4937262bafc73a194d034ef

SHA512
a10917afb7b97ced1be4f540909800e1432d997b33774a7d19d3deac9607d17901ea1c9bad41b09d4e94cbd7ffedfa7292b1f37d7112ef977c5507b0b43e623e

Download Submit
C:\Program Files\DroidJoy Server\vGenInterfaceWrap.dll

Filesize
16KB

MD5
d3538730c177827c5fbed546b44d14b9

SHA1
56c26e2c4470dc8014e47828fda3025b415d5a5b

SHA256
53e07115e6550cc0479e0a8075cc22602c97e064a4937262bafc73a194d034ef

SHA512
a10917afb7b97ced1be4f540909800e1432d997b33774a7d19d3deac9607d17901ea1c9bad41b09d4e94cbd7ffedfa7292b1f37d7112ef977c5507b0b43e623e

Download Submit
C:\Program Files\DroidJoy Server\vGenInterfaceWrap.dll

Filesize
16KB

MD5
d3538730c177827c5fbed546b44d14b9

SHA1
56c26e2c4470dc8014e47828fda3025b415d5a5b

SHA256
53e07115e6550cc0479e0a8075cc22602c97e064a4937262bafc73a194d034ef

SHA512
a10917afb7b97ced1be4f540909800e1432d997b33774a7d19d3deac9607d17901ea1c9bad41b09d4e94cbd7ffedfa7292b1f37d7112ef977c5507b0b43e623e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52AR4.tmp\DroidJoy_Setup_x64_2.1.0.tmp

Filesize
1.0MB

MD5
062054a501f35e28de02dce408074414

SHA1
8dade414cb096b7162de5c2e8e826d24b2037fb3

SHA256
53bf279912e85dac5b45c120ba8ab78d36e606c1efbf610c8aba0b5a1ee3c587

SHA512
8a1d6153a762bed5aeecb750a6ddf34bd873e7a4881c7ef82b3f1b9daa6be32f707de5afaa935a9cb8923c16752cf63c7e1b2e69c5bd24345ddb3c3aacf8b135

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52AR4.tmp\DroidJoy_Setup_x64_2.1.0.tmp

Filesize
1.0MB

MD5
062054a501f35e28de02dce408074414

SHA1
8dade414cb096b7162de5c2e8e826d24b2037fb3

SHA256
53bf279912e85dac5b45c120ba8ab78d36e606c1efbf610c8aba0b5a1ee3c587

SHA512
8a1d6153a762bed5aeecb750a6ddf34bd873e7a4881c7ef82b3f1b9daa6be32f707de5afaa935a9cb8923c16752cf63c7e1b2e69c5bd24345ddb3c3aacf8b135

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S0NOV.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815D8~1\ScpVBus.cat

Filesize
8KB

MD5
a9441e633384d4d00c9d6dfcf2a1ea1d

SHA1
7d738542aa8a00e2574ac976db7ed4d597269824

SHA256
1a9ae39960651cef16e7da048289ecb41830da35ce47fc00936c335cf2e86d4f

SHA512
8befcd340f1b24cccc85f26763287ad8f61f65e67549c3d84d131a773114439b81635a5f274689be3891c2e2e7e1356967de098a7d88361e7afde17187042c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815D8~1\ScpVBus.sys

Filesize
43KB

MD5
dbf3d66a7eb9fcc3b9b744798d8836c9

SHA1
1da7f9fe60f175ffd5c5633e9010a87806153ab4

SHA256
b1b85035d7e5195a812f057542666c387aff5a324ba7a3a719b028c895a69833

SHA512
a16a64bbc420b539021d9d0871a3e07c4d6aa519b22d38dc11e61d8613fb86894e68ded00ab2ce4a889b8ee06724191815ee81ed3b2fcfb2b227fbec00451f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815D8~1\WdfCoInstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\SET17B9.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\ScpVBus.cat

Filesize
8KB

MD5
a9441e633384d4d00c9d6dfcf2a1ea1d

SHA1
7d738542aa8a00e2574ac976db7ed4d597269824

SHA256
1a9ae39960651cef16e7da048289ecb41830da35ce47fc00936c335cf2e86d4f

SHA512
8befcd340f1b24cccc85f26763287ad8f61f65e67549c3d84d131a773114439b81635a5f274689be3891c2e2e7e1356967de098a7d88361e7afde17187042c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\ScpVBus.sys

Filesize
43KB

MD5
dbf3d66a7eb9fcc3b9b744798d8836c9

SHA1
1da7f9fe60f175ffd5c5633e9010a87806153ab4

SHA256
b1b85035d7e5195a812f057542666c387aff5a324ba7a3a719b028c895a69833

SHA512
a16a64bbc420b539021d9d0871a3e07c4d6aa519b22d38dc11e61d8613fb86894e68ded00ab2ce4a889b8ee06724191815ee81ed3b2fcfb2b227fbec00451f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\scpvbus.inf

Filesize
2KB

MD5
d37a243b454157f12044ace6bb4254b5

SHA1
1efb193e444107b52d28d79c041f5b51a694905e

SHA256
fe787cf8886bf543c3d95dad461667c166847e8b9f7597c54f6632a5267f3ced

SHA512
6131fab07731e5564e8567cbcdcac6f285040ac0c3ddb9ce7fe210c50bdd7179700d24b429492887d1f0f7552a67822eca71b39bddef1463370e5af7c4da7343

Download Submit
C:\Users\Admin\AppData\Local\Temp\{815d886a-ded3-114c-a7e6-7e86c3a00e69}\scpvbus.inf

Filesize
2KB

MD5
d37a243b454157f12044ace6bb4254b5

SHA1
1efb193e444107b52d28d79c041f5b51a694905e

SHA256
fe787cf8886bf543c3d95dad461667c166847e8b9f7597c54f6632a5267f3ced

SHA512
6131fab07731e5564e8567cbcdcac6f285040ac0c3ddb9ce7fe210c50bdd7179700d24b429492887d1f0f7552a67822eca71b39bddef1463370e5af7c4da7343

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
d37a243b454157f12044ace6bb4254b5

SHA1
1efb193e444107b52d28d79c041f5b51a694905e

SHA256
fe787cf8886bf543c3d95dad461667c166847e8b9f7597c54f6632a5267f3ced

SHA512
6131fab07731e5564e8567cbcdcac6f285040ac0c3ddb9ce7fe210c50bdd7179700d24b429492887d1f0f7552a67822eca71b39bddef1463370e5af7c4da7343

Download Submit
C:\Windows\System32\DriverStore\FileRepository\SCPVBU~1.INF\ScpVBus.sys

Filesize
43KB

MD5
dbf3d66a7eb9fcc3b9b744798d8836c9

SHA1
1da7f9fe60f175ffd5c5633e9010a87806153ab4

SHA256
b1b85035d7e5195a812f057542666c387aff5a324ba7a3a719b028c895a69833

SHA512
a16a64bbc420b539021d9d0871a3e07c4d6aa519b22d38dc11e61d8613fb86894e68ded00ab2ce4a889b8ee06724191815ee81ed3b2fcfb2b227fbec00451f3e

Download Submit
C:\Windows\System32\DriverStore\FileRepository\SCPVBU~1.INF\WdfCoInstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\ScpVBus.cat

Filesize
8KB

MD5
a9441e633384d4d00c9d6dfcf2a1ea1d

SHA1
7d738542aa8a00e2574ac976db7ed4d597269824

SHA256
1a9ae39960651cef16e7da048289ecb41830da35ce47fc00936c335cf2e86d4f

SHA512
8befcd340f1b24cccc85f26763287ad8f61f65e67549c3d84d131a773114439b81635a5f274689be3891c2e2e7e1356967de098a7d88361e7afde17187042c55

Download Submit
C:\Windows\System32\DriverStore\Temp\{05e1c5d5-5c6b-8a47-abb6-ddc9cbb4bd60}\scpvbus.inf

Filesize
2KB

MD5
d37a243b454157f12044ace6bb4254b5

SHA1
1efb193e444107b52d28d79c041f5b51a694905e

SHA256
fe787cf8886bf543c3d95dad461667c166847e8b9f7597c54f6632a5267f3ced

SHA512
6131fab07731e5564e8567cbcdcac6f285040ac0c3ddb9ce7fe210c50bdd7179700d24b429492887d1f0f7552a67822eca71b39bddef1463370e5af7c4da7343

Download Submit
\??\c:\PROGRA~1\DROIDJ~1\ScpVBus.sys

Filesize
43KB

MD5
dbf3d66a7eb9fcc3b9b744798d8836c9

SHA1
1da7f9fe60f175ffd5c5633e9010a87806153ab4

SHA256
b1b85035d7e5195a812f057542666c387aff5a324ba7a3a719b028c895a69833

SHA512
a16a64bbc420b539021d9d0871a3e07c4d6aa519b22d38dc11e61d8613fb86894e68ded00ab2ce4a889b8ee06724191815ee81ed3b2fcfb2b227fbec00451f3e

Download Submit
\??\c:\PROGRA~1\DROIDJ~1\WDFCOI~1.DLL

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
\??\c:\program files\droidjoy server\ScpVBus.cat

Filesize
8KB

MD5
a9441e633384d4d00c9d6dfcf2a1ea1d

SHA1
7d738542aa8a00e2574ac976db7ed4d597269824

SHA256
1a9ae39960651cef16e7da048289ecb41830da35ce47fc00936c335cf2e86d4f

SHA512
8befcd340f1b24cccc85f26763287ad8f61f65e67549c3d84d131a773114439b81635a5f274689be3891c2e2e7e1356967de098a7d88361e7afde17187042c55

Download Submit
memory/1496-358-0x000000001E8A0000-0x000000001E910000-memory.dmp

Filesize
448KB

Download
memory/1496-354-0x000000001DF90000-0x000000001DF98000-memory.dmp

Filesize
32KB

Download
memory/1496-369-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-343-0x000000001DF60000-0x000000001DF72000-memory.dmp

Filesize
72KB

Download
memory/1496-368-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-345-0x000000001DC30000-0x000000001DC3E000-memory.dmp

Filesize
56KB

Download
memory/1496-367-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-366-0x00007FFC550F0000-0x00007FFC55BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-347-0x000000001DC40000-0x000000001DC4A000-memory.dmp

Filesize
40KB

Download
memory/1496-364-0x0000000021160000-0x0000000021198000-memory.dmp

Filesize
224KB

Download
memory/1496-349-0x000000001DF80000-0x000000001DF8C000-memory.dmp

Filesize
48KB

Download
memory/1496-365-0x0000000021130000-0x000000002113E000-memory.dmp

Filesize
56KB

Download
memory/1496-363-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-361-0x0000000020D00000-0x0000000020D08000-memory.dmp

Filesize
32KB

Download
memory/1496-326-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-333-0x000000001D6F0000-0x000000001D78A000-memory.dmp

Filesize
616KB

Download
memory/1496-325-0x00007FFC550F0000-0x00007FFC55BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-362-0x000000001CA60000-0x000000001CA70000-memory.dmp

Filesize
64KB

Download
memory/1496-324-0x0000000000D20000-0x0000000000E3E000-memory.dmp

Filesize
1.1MB

Download
memory/1496-360-0x000000001EA10000-0x000000001EA4A000-memory.dmp

Filesize
232KB

Download
memory/2188-133-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2188-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2188-331-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2236-291-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2236-318-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2236-139-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2236-330-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2236-150-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2236-151-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2236-153-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2236-155-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download