File name:

ViGEmBus_1.22.0_x64_x86_arm64.exe

Full analysis: https://app.any.run/tasks/b81c9ab6-37f2-4eb2-ab1e-9111084dc6f4
Verdict: Malicious activity
Analysis date: June 01, 2024, 14:56:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A62717E3E4306DE1DCA4FB5C2FA0AC6C

SHA1:

5EC1B1077B43E82C2D3712909C7ED80DD59504DD

SHA256:

89220A7865076B342892F98865F3499FB7C4CFD673159E89D352C360FD014C6A

SSDEEP:

98304:0zfyVMcz9E685gGpJaiTpH8qknpcM6f2DHvqMmAziOKyxjdLBTTpIDPz0Ur/Y21e:5/3ya1cAr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads security settings of Internet Explorer

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Checks Windows Trust Settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Executable content was dropped or overwritten

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads the Windows owner or organization settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

  • INFO

    • Checks supported languages

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 4088)

    • Reads the machine GUID from the registry

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4044)
      • msiexec.exe (PID: 4088)

    • Reads the computer name

      • msiexec.exe (PID: 4088)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)
      • msiexec.exe (PID: 4044)

    • Reads the software policy settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Reads Environment values

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Creates files in the program directory

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Create files in a temporary directory

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 3972)

    • Application launched itself

      • msiexec.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:04 08:42:22+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 2600448
InitializedDataSize: 1169920
UninitializedDataSize: -
EntryPoint: 0x1f0006
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.22.0.0
ProductVersionNumber: 1.22.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: ViGEm Bus Driver Installer
FileVersion: 1.22.0
InternalName: ViGEmBus_1.22.0_x64_x86_arm64
LegalCopyright: Copyright (C) 2023 Nefarius Software Solutions e.U.
OriginalFileName: ViGEmBus_1.22.0_x64_x86_arm64.exe
ProductName: ViGEm Bus Driver
ProductVersion: 1.22.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vigembus_1.22.0_x64_x86_arm64.exe msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3972"C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe" C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe
explorer.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
MEDIUM
Description:
ViGEm Bus Driver Installer
Exit code:
1603
Version:
1.22.0
Modules
Images
c:\users\admin\appdata\local\temp\vigembus_1.22.0_x64_x86_arm64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
4044C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4088C:\Windows\system32\MsiExec.exe -Embedding A1ADC2A4856EC1185927005EAA5227DD CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 167
Read events
4 150
Write events
14
Delete events
3

Modification events

(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\AiTemp
Operation:delete valueName:C__Users_admin_AppData_Local_Temp_ViGEmBus_1.22.0_x64_x86_arm64.exe
Value:
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\AiTemp
Operation:delete keyName:(default)
Value:
(PID) Process:(3972) ViGEmBus_1.22.0_x64_x86_arm64.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:C__Users_admin_AppData_Local_Temp_ViGEmBus_1.22.0_x64_x86_arm64.exe
Value:
Executable files
8
Suspicious files
1
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\ProgramData\Nefarius Software Solutions\ViGEm Bus Driver 1.22.0\install\holder0.aiph
MD5:
SHA256:
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\repairicimage
MD5:915E40A576FA41DC5F8486103341673E
SHA256:BF21B2BC3E7253968405F3D244CDB1C136672A5BDB088B524A333264898A2D11
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\ProgramData\Nefarius Software Solutions\ViGEm Bus Driver 1.22.0\install\A4E9077\ViGEmBus.x64.msiexecutable
MD5:09F2BFB2532B4FFE0DF8A82233BA6A00
SHA256:AC457244AA5D2CBEBD05522C28FA8B483F06EE47C38EE3E701E7D16546DDE19A
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\infoimage
MD5:8595D2A2D58310B448729E28649443D6
SHA256:27F13C4829994B214BB1A26EEF474DA67C521FD429536CB8421BA2F7C3E02B5F
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\MSI34DD.tmpexecutable
MD5:C9C085C00BC24802F066E5412DEFCF50
SHA256:A412B642DE0E94DB761EBD2834DDE72EED86E65FC4A580670A300015B874BA24
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\Newimage
MD5:1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
SHA256:4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\dialog.jpgimage
MD5:5F6253CFF5A8B031BFB3B161079D0D86
SHA256:36D9BAB35D1E4B50045BF902F5D42B6F865488C75F6E60FC00A6CD6F69034AB0
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\removicoimage
MD5:1FFFE5C3CC990D0C012A428A59B2AE46
SHA256:45791627AE8E67E6B616117CF21F04DA381722FAF08D07C0C25E0F28C9B8F82B
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\insticonimage
MD5:EAC3781BA9FB0502D6F16253EB67B2B4
SHA256:F864E8640C98B65C6C1B9B66A850661E8397ED6E66B06F4424396275488AF1BE
3972ViGEmBus_1.22.0_x64_x86_arm64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3972\completiimage
MD5:C23AF89757665BC0386FD798A61B2112
SHA256:031ED0378F819926D7B5B2C6C9367A0FB1CBAE40E1A3959E2652FE30A47D52F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ViGEmBus_1.22.0_x64_x86_arm64.exe