File name:

ViGEmBus_1.22.0_x64_x86_arm64.exe

Full analysis: https://app.any.run/tasks/b81c9ab6-37f2-4eb2-ab1e-9111084dc6f4
Verdict: Malicious activity
Analysis date: June 01, 2024, 14:56:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A62717E3E4306DE1DCA4FB5C2FA0AC6C

SHA1:

5EC1B1077B43E82C2D3712909C7ED80DD59504DD

SHA256:

89220A7865076B342892F98865F3499FB7C4CFD673159E89D352C360FD014C6A

SSDEEP:

98304:0zfyVMcz9E685gGpJaiTpH8qknpcM6f2DHvqMmAziOKyxjdLBTTpIDPz0Ur/Y21e:5/3ya1cAr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Executable content was dropped or overwritten

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Checks Windows Trust Settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads the Windows owner or organization settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

  • INFO

    • Reads the computer name

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4088)
      • msiexec.exe (PID: 4044)

    • Checks supported languages

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 4088)

    • Create files in a temporary directory

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads the software policy settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4088)
      • msiexec.exe (PID: 4044)

    • Application launched itself

      • msiexec.exe (PID: 4044)

    • Reads Environment values

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Creates files in the program directory

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:04 08:42:22+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 2600448
InitializedDataSize: 1169920
UninitializedDataSize: -
EntryPoint: 0x1f0006
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.22.0.0
ProductVersionNumber: 1.22.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: ViGEm Bus Driver Installer
FileVersion: 1.22.0
InternalName: ViGEmBus_1.22.0_x64_x86_arm64
LegalCopyright: Copyright (C) 2023 Nefarius Software Solutions e.U.
OriginalFileName: ViGEmBus_1.22.0_x64_x86_arm64.exe
ProductName: ViGEm Bus Driver
ProductVersion: 1.22.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vigembus_1.22.0_x64_x86_arm64.exe msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3972"C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe" C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe
explorer.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
MEDIUM
Description:
ViGEm Bus Driver Installer
Exit code:
1603
Version:
1.22.0
Modules
Images
c:\users\admin\appdata\local\temp\vigembus_1.22.0_x64_x86_arm64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
4044C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4088C:\Windows\system32\MsiExec.exe -Embedding A1ADC2A4856EC1185927005EAA5227DD CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 167
Read events
4 150
Write events
14
Delete events
3

Modification events

(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\AiTemp
Operation:delete valueName:C__Users_admin_AppData_Local_Temp_ViGEmBus_1.22.0_x64_x86_arm64.exe
Value:
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\AiTemp
Operation:delete keyName:(default)
Value:
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:C__Users_admin_AppData_Local_Temp_ViGEmBus_1.22.0_x64_x86_arm64.exe
Value:
Executable files
8
Suspicious files
1
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\ProgramData\Nefarius Software Solutions\ViGEm Bus Driver 1.22.0\install\holder0.aiph
MD5:
SHA256:
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\ProgramData\Nefarius Software Solutions\ViGEm Bus Driver 1.22.0\install\A4E9077\ViGEmBus.msiexecutable
MD5:9012F08F3131F64B46CF73990F8FBB42
SHA256:F12295FA3BE5F820ADDBEAB6EE23F4EA8980F3913AC19661A408E9221DD1AB00
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\MSI34DD.tmpexecutable
MD5:C9C085C00BC24802F066E5412DEFCF50
SHA256:A412B642DE0E94DB761EBD2834DDE72EED86E65FC4A580670A300015B874BA24
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\MSI358C.tmpexecutable
MD5:C9C085C00BC24802F066E5412DEFCF50
SHA256:A412B642DE0E94DB761EBD2834DDE72EED86E65FC4A580670A300015B874BA24
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\ProgramData\Nefarius Software Solutions\ViGEm Bus Driver 1.22.0\install\A4E9077\ViGEmBus.x64.msiexecutable
MD5:09F2BFB2532B4FFE0DF8A82233BA6A00
SHA256:AC457244AA5D2CBEBD05522C28FA8B483F06EE47C38EE3E701E7D16546DDE19A
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\MSI355C.tmpexecutable
MD5:C9C085C00BC24802F066E5412DEFCF50
SHA256:A412B642DE0E94DB761EBD2834DDE72EED86E65FC4A580670A300015B874BA24
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\dialog.jpgimage
MD5:5F6253CFF5A8B031BFB3B161079D0D86
SHA256:36D9BAB35D1E4B50045BF902F5D42B6F865488C75F6E60FC00A6CD6F69034AB0
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\MSI353C.tmpexecutable
MD5:C9C085C00BC24802F066E5412DEFCF50
SHA256:A412B642DE0E94DB761EBD2834DDE72EED86E65FC4A580670A300015B874BA24
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\custiconimage
MD5:BE6D2F48AA6634FB2101C273C798D4D9
SHA256:0E22BC2BF7184DFDB55223A11439304A453FB3574E3C9034A6497AF405C628EF
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\tabbackbinary
MD5:4C3DDA35E23D44E273D82F7F4C38470A
SHA256:E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ViGEmBus_1.22.0_x64_x86_arm64.exe