Malware Analysis Report

2025-08-05 22:27

Sample ID 240312-xdf9bsad77
Target Exo_AA_software.exe
SHA256 3fa20a022ceafed663d70a0d7d41c2efe9fb185f1f9d2ed947e608c6076e9fae
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3fa20a022ceafed663d70a0d7d41c2efe9fb185f1f9d2ed947e608c6076e9fae

Threat Level: Likely malicious

The file Exo_AA_software.exe was found to be: Likely malicious.

Malicious Activity Summary


Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 18:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 18:44

Reported

2024-03-12 18:49

Platform

win10v2004-20240226-en

Max time kernel

263s

Max time network

248s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\ViGEmBus.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\drivers\keyboard.sys C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp N/A
File created C:\Windows\system32\drivers\mouse.sys C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\vigembus.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70BB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70BB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\ViGEmBus.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\ViGEmBus.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.PNF C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.inf C:\Windows\system32\DrvInst.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon-LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\e5765af.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5765af.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6CB5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{93D91F60-7C94-4A79-863F-EA713D2EB3F3} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6B3D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5765b3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\PackageCode = "0009B4F754538334F9B3C4D0AA2552EE" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0 = 84003100000000006c58c3951100446f63756d656e7473006c0009000400efbe874fdb496c58cb952e000000fa050000000001000000000000000000420000000000a7f2230144006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003100000018000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductIcon = "C:\\Windows\\Installer\\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\\ViGEm.ico" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Version = "17891661" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\PackageName = "TMP60EC.tmp" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED20A4A03EB04FB4190FE14AA72D8618\06F19D3949C797A468F3AE17D3E23B3F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0 = 6a003100000000006c58c3951000434f4e4649477e320000520009000400efbe6c58c3956c58c3952e0000002431020000000c000000000000000000000000000000a7f2230143006f006e0066006900670043005300410043006f006e006600690067007300000018000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0\NodeSlot = "10" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductName = "Nefarius Virtual Gamepad Emulation Bus Driver" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Windows\SYSTEM32\msiexec.exe
PID 3984 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Windows\SYSTEM32\msiexec.exe
PID 3748 wrote to memory of 3000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3748 wrote to memory of 3000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3748 wrote to memory of 3000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3000 wrote to memory of 2212 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
PID 3000 wrote to memory of 2212 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
PID 2780 wrote to memory of 3332 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2780 wrote to memory of 3332 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2780 wrote to memory of 2956 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2780 wrote to memory of 2956 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3984 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp
PID 3984 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp
PID 3984 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp
PID 2640 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp
PID 2640 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp
PID 2640 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp
PID 2416 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
PID 2416 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2416 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
PID 2640 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe

"C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"

C:\Windows\SYSTEM32\msiexec.exe

msiexec /i C:\Users\Admin\AppData\Local\Temp\TMP60EC.tmp /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C40F007A9B2DA01EE5A8378AF9EB0447 E Global\MSI0000

C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe

"C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe" install "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf" Nefarius\ViGEmBus\Gen1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\vigembus.inf" "9" "429a86e87" "0000000000000134" "WinSta0\Default" "0000000000000164" "208" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000134"

C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp

C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp /install

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe

"C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"

C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp

C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp Run

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Public\Documents\ConfigCSAConfigs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"

C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"

C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"

C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"

C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe

"C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tasklist | findstr /i "dnspy"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr /i "dnspy"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 25.63.96.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 configcsa.com udp
FR 37.187.180.199:443 configcsa.com tcp
US 8.8.8.8:53 199.180.187.37.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FR 37.187.180.199:443 configcsa.com tcp
FR 37.187.180.199:443 configcsa.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
FR 37.187.180.199:443 configcsa.com tcp
FR 37.187.180.199:443 configcsa.com tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
N/A 127.0.0.1:9355 tcp

Files

memory/3984-2-0x00007FFB4D900000-0x00007FFB4D902000-memory.dmp

memory/3984-0-0x00007FFB4D8F0000-0x00007FFB4D8F2000-memory.dmp

memory/3984-1-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

memory/3984-3-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMP60EC.tmp

MD5 d8d2cff2eae7f1d956e3f8a2edaf891d
SHA1 bc33e35ed5d60c492bd6733462bd6cbc19c2cd59
SHA256 5abbba8a4a07aaaeb50b4666183b2f243e0e5ad288026d2a9f3595ed237c4b28
SHA512 50d98dd7d81e309cf764da7d40e321270f2e5ebc387d7b35ddb414c2efcfaa1bf302e51d5dfd3fa4cf871a3449705dc5e57466a3e97fdd5c16f5af3cd3051447

C:\Windows\Installer\MSI6CB5.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe

MD5 68d2ea8e31ce2f290c19611732d7c104
SHA1 9f72145d9b96a1c838041a3b1815835470018e33
SHA256 6591ea75bd60ab2e094b078ffe3de9011694a975c5c84ae8103aa18a73093dc3
SHA512 918ed578dc0c92e20a04536aaebaed7b0de4dfff49ff83ef5ee031e67862a687e40be59bd734e7d0d9da3189e6f586bf253a01cd3dd2b6e8b818f2dd251aea58

C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf

MD5 cd0027aa0f5a8a47a6596d880f06964b
SHA1 167b62bfd7471179cf68cb5b2f83c8365edf4875
SHA256 634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6
SHA512 19563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9

\??\c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\ViGEmBus.cat

MD5 5312064607460baaa4562aabc42b8922
SHA1 c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae
SHA256 58b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404
SHA512 dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba

\??\c:\PROGRA~1\NEFARI~1\VIRTUA~1\ViGEmBus.sys

MD5 87fe350c6ffe8d60ce58dbc16a2d091e
SHA1 7e2727a31c54df2fe4fba73a6b0537afa5faf534
SHA256 8fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4
SHA512 f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63

C:\Config.Msi\e5765b2.rbs

MD5 456ef623e55f96b2b391714bf9bbae7b
SHA1 a2d3749393f2be1eef8f7fe76218021c2a91d119
SHA256 1d165f7efb7cae7d65bb65772776c52e0727100664f95ba82e5a910031aa8a6a
SHA512 30815a868a7934f1ef8a7d2892b68fce7f666917ecc352dee78abe856959bac7d65484b4c70e09070f420a9dfffe6527450d5cab16c72199cd93d20db31b5222

C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp

MD5 0f0b50d92e030b8965ce669c8058fa6e
SHA1 257b3f0402285a29f4618b32958c208b3e9d4c4d
SHA256 e137863a79da797f08e7a137280ff2a123809044a888fd75ce9c973198915abe
SHA512 fc7c384fd6f682ad01b598abf87c522b38068f4488cea6dc7bd6dedd66e995e4d8fb583c54c6afed0c4c7a9a2318bb6ed257bb3cbd0e48fae83a7819d1167d79

memory/3984-114-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

memory/3984-117-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

memory/2640-119-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

memory/2640-121-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp

MD5 fd813c4110a3132b5f209aa74bf613c5
SHA1 b2845351b7b2f8a8bb9f8971811ad40905a46f4d
SHA256 88e9af50aa27fe4072de001b5b90bd9a970f36fdf1d87b084f6f54f86959a4b2
SHA512 3c2ca18fe57cf01390773dee48d1c7a3b8e7048755a37b9e7c5dcabdcd9d402d539713dc6f48c5a68ee9293b113acb175112c02bdde7f9152bfdc7dcc0800009

memory/2416-127-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2416-128-0x0000000000590000-0x00000000005B4000-memory.dmp

memory/2416-129-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-130-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-131-0x0000000006190000-0x0000000006352000-memory.dmp

C:\Users\Public\Documents\ConfigCSA\Login

MD5 1da00f9e1f81a7d6e8a241337c5c9d92
SHA1 a623f97ec3316fea8d4636743547aae9181b5eb0
SHA256 5384d62fd035e13cd43fb57be42cf515749ea9af08ba32f373ac082aab704f0e
SHA512 dc173fec66902fcc307f5247cfaee4b4423744b44b549d64b41fd739eac8b7d87967ecd1b2cf7c1d96f0f52135c58c86181f38920d5ce88aac29e58dc582e808

memory/2416-133-0x0000000006890000-0x0000000006DBC000-memory.dmp

memory/2416-134-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-135-0x000000000AF30000-0x000000000AFC2000-memory.dmp

memory/2416-136-0x000000000AEA0000-0x000000000AEA8000-memory.dmp

memory/2416-137-0x000000000A820000-0x000000000A858000-memory.dmp

memory/2416-138-0x000000000A800000-0x000000000A80E000-memory.dmp

memory/2640-140-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

memory/2416-141-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2416-142-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-143-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-144-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2416-145-0x0000000004F30000-0x0000000004F40000-memory.dmp

C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

MD5 ec605ecb2f3314e8eaa1a0e96fb580be
SHA1 b35625d08757b08c2bcc71e9774f8ecb9200930c
SHA256 cb4c6cd4cba2c0ff4094ea1fbb30527bce230382a3a068b1a6285b433760f020
SHA512 737cc96bf07357379bbbcc1caccf8ed1c4f7d49987dac9a53c7a9428da949ec4ebc1134f0a94461a24cf8c5f7e6bd174efa285febb5eebb945426ddfa2e151b2

memory/2416-160-0x000000000CB40000-0x000000000D0E4000-memory.dmp

C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe

MD5 b77ba203f4d3c2830835567a4fcd8ad7
SHA1 a6f908b61cefaf2584aca5ad712deba1d4fba09b
SHA256 378dff510775d05a87b7099ddf665a5d70add7fbdb6c9278784702a81ab5c024
SHA512 5d7b359a508749279dd7edbd87f65dc46b6ede414bcec8f30fbc28c8a6fdc10cb7c05148065a4886929ac931f1199263f15ae4e4a0feb43f6ccd8c722b91a005

memory/4656-174-0x000001D11F6C0000-0x000001D11F6F7000-memory.dmp

memory/2416-173-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/4968-179-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-180-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-181-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-185-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-186-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-187-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-188-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-189-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-190-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4968-191-0x000002F233970000-0x000002F233971000-memory.dmp

memory/4656-192-0x000001D11F6C0000-0x000001D11F6F7000-memory.dmp

memory/2416-193-0x0000000074E50000-0x0000000075600000-memory.dmp

memory/2640-194-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 18:44

Reported

2024-03-12 18:47

Platform

macos-20240214-en

Max time kernel

134s

Max time network

132s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Exo_AA_software.exe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Exo_AA_software.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Exo_AA_software.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Exo_AA_software.exe]

/usr/libexec/dmd

[/usr/libexec/dmd]

/bin/zsh

[/bin/zsh -c /Users/run/Exo_AA_software.exe]

/Users/run/Exo_AA_software.exe

[/Users/run/Exo_AA_software.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 52.182.143.208:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
US 17.137.170.10:443 tcp
US 17.137.170.34:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.44.233.108:443 help.apple.com tcp
GB 23.44.233.108:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/Users/run/Library/Caches/GeoServices/Resources/altitude-1202.xml

MD5 f627cf4820da06be8e6ff3fdec6ebfee
SHA1 993d8ec88721b9e76c3fe1f5987338a61b452bf8
SHA256 f1d2905b871b9b80172b7c9dc298c1a3dd355e6ae633f77562f4e06ed52a54e7
SHA512 bf698aa0eee296df872b91432670af719bda88be3b6d210a567b500da1cedc0e07055a805c2331ccacea0a8a17396e2e37b4bf70894b9052723049c96083001f

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 5e5b91e9668c245e7314d4a8b8c1e97b
SHA1 153f236c3735ffbfbaee5a6be8ef288b273e9be8
SHA256 e89bbdea851704328ab5dcbb9d50c98063d6e3aa9000ddcfdde8055fb2f68976
SHA512 2029a1e25a428c76c8f4d7a5337e972ea447beff2b8ca9136e5cb37e14c293013141d15e92fd0f4fe5bb353c0ac2bbb200ba1a1054a7e486b028205637609a91

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8