File name:

DS4Windows_3.3.3_x64.zip

Full analysis: https://app.any.run/tasks/e3fb7ef5-9e10-4a15-bb0b-7d8df95be825
Verdict: Malicious activity
Analysis date: August 31, 2024, 19:41:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

B35E3AAEB5FFCA32D4B426474A755361

SHA1:

E869C8164400E1801E48C561B608E84A91515109

SHA256:

CF5619BCB51B82E4E1765276E9F67FB1E2D23DFF968A653657ACF35BAFFF8BF4

SSDEEP:

98304:nRUMju2G1q+/k+iyBMQ01wvxOF8w9Tgb6+1+eO26oDjNzJ6voA3BwKcoTmEZRHXK:gUrrE2r8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1480)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7872)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • msiexec.exe (PID: 7216)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1480)
      • GameBar.exe (PID: 6640)
      • DS4Windows.exe (PID: 2224)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • DS4Windows.exe (PID: 7548)
      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7872)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • nefconw.exe (PID: 2728)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)
      • nefconw.exe (PID: 8120)
      • drvinst.exe (PID: 7036)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)

    • Drops the executable file immediately after the start

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7872)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • msiexec.exe (PID: 7216)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • nefconw.exe (PID: 2728)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • nefconw.exe (PID: 8120)
      • HidHide_1.2.128_x64.exe (PID: 7684)
      • drvinst.exe (PID: 7036)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)

    • Reads the date of Windows installation

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • DS4Windows.exe (PID: 5740)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Starts itself from another location

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7216)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 7216)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7216)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 7216)

    • Application launched itself

      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Reads Internet Explorer settings

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1700)

    • Drops a system driver (possible attempt to evade defenses)

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • nefconw.exe (PID: 2728)
      • drvinst.exe (PID: 2132)
      • msiexec.exe (PID: 7216)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • nefconw.exe (PID: 8120)
      • drvinst.exe (PID: 7036)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2132)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 2816)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1480)
      • msedge.exe (PID: 6516)
      • msiexec.exe (PID: 7216)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1480)
      • msedge.exe (PID: 7876)
      • msedge.exe (PID: 6516)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • DS4Windows.exe (PID: 5740)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Reads the computer name

      • DS4Windows.exe (PID: 2224)
      • GameBar.exe (PID: 6640)
      • identity_helper.exe (PID: 7744)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • msiexec.exe (PID: 7216)
      • msiexec.exe (PID: 2400)
      • msiexec.exe (PID: 7828)
      • msiexec.exe (PID: 7176)
      • msiexec.exe (PID: 5376)
      • identity_helper.exe (PID: 7824)
      • DS4Windows.exe (PID: 5740)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • msiexec.exe (PID: 3980)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • msiexec.exe (PID: 5504)
      • nefconw.exe (PID: 6856)
      • nefconw.exe (PID: 2728)
      • drvinst.exe (PID: 2816)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • msiexec.exe (PID: 7580)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Checks supported languages

      • GameBar.exe (PID: 6640)
      • DS4Windows.exe (PID: 2224)
      • identity_helper.exe (PID: 7744)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7872)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • msiexec.exe (PID: 7216)
      • msiexec.exe (PID: 2400)
      • msiexec.exe (PID: 7828)
      • DS4Windows.exe (PID: 5740)
      • msiexec.exe (PID: 5376)
      • identity_helper.exe (PID: 7824)
      • msiexec.exe (PID: 7176)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • msiexec.exe (PID: 3980)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • msiexec.exe (PID: 5504)
      • nefconw.exe (PID: 6856)
      • drvinst.exe (PID: 2132)
      • drvinst.exe (PID: 2816)
      • nefconw.exe (PID: 2728)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • msiexec.exe (PID: 7580)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6516)
      • DS4Windows.exe (PID: 2224)
      • msedge.exe (PID: 6900)

    • Reads Environment values

      • identity_helper.exe (PID: 7744)
      • identity_helper.exe (PID: 7824)
      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • msiexec.exe (PID: 3980)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • msiexec.exe (PID: 5504)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • msiexec.exe (PID: 7580)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Application launched itself

      • msedge.exe (PID: 6516)
      • msedge.exe (PID: 6900)

    • Process checks computer location settings

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • DS4Windows.exe (PID: 7548)
      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Create files in a temporary directory

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7896)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 7872)
      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • DS4Windows.exe (PID: 5740)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • nefconw.exe (PID: 2728)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Reads the software policy settings

      • msiexec.exe (PID: 7216)
      • DS4Windows.exe (PID: 7548)
      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Reads the machine GUID from the registry

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • msiexec.exe (PID: 7216)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 7440)
      • drvinst.exe (PID: 2132)
      • HidHide_1.2.128_x64.exe (PID: 876)
      • HidHide_1.2.128_x64.exe (PID: 7684)

    • Creates files in the program directory

      • windowsdesktop-runtime-8.0.8-win-x64.exe (PID: 5292)
      • DS4Windows.exe (PID: 5740)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
      • HidHide_1.2.128_x64.exe (PID: 876)

    • Manual execution by a user

      • DS4Windows.exe (PID: 5740)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7216)

    • Checks proxy server information

      • DS4Windows.exe (PID: 5740)
      • DS4Windows.exe (PID: 7548)
      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)

    • Reads product name

      • DS4Windows.exe (PID: 5740)

    • Creates files or folders in the user directory

      • ViGEmBus_1.22.0_x64_x86_arm64.exe (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:12:31 12:33:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: DS4Windows/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
252
Monitored processes
108
Malicious processes
11
Suspicious processes
9

Behavior graph

Click at the process to see the details
start winrar.exe ds4windows.exe gamebar.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windowsdesktop-runtime-8.0.8-win-x64.exe windowsdesktop-runtime-8.0.8-win-x64.exe windowsdesktop-runtime-8.0.8-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs ds4windows.exe ds4windows.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs vigembus_1.22.0_x64_x86_arm64.exe msiexec.exe no specs vigembus_1.22.0_x64_x86_arm64.exe vssvc.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe msedge.exe no specs drvinst.exe no specs hidhide_1.2.128_x64.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs hidhide_1.2.128_x64.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2388 --field-trial-handle=2400,i,2728690038254655585,11641915890720347488,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
376DrvInst.exe "2" "201" "ROOT\SYSTEM\0002" "C:\WINDOWS\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\hidhide.inf" "oem6.inf:*:*:1.2.98.0:root\HidHide," "49f2aa4cb" "0000000000000208"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7456 --field-trial-handle=2400,i,2728690038254655585,11641915890720347488,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
876"C:\Users\admin\AppData\Local\Temp\HidHide_1.2.128_x64.exe" C:\Users\admin\AppData\Local\Temp\HidHide_1.2.128_x64.exe
DS4Windows.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
HidHide Installer
Exit code:
0
Version:
1.2.128
Modules
Images
c:\users\admin\appdata\local\temp\hidhide_1.2.128_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1060"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4892 --field-trial-handle=2256,i,14509576172337807212,1798319571791132805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1332"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5716 --field-trial-handle=2400,i,2728690038254655585,11641915890720347488,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448"C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe" C:\Users\admin\AppData\Local\Temp\ViGEmBus_1.22.0_x64_x86_arm64.exe
DS4Windows.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
ViGEm Bus Driver Installer
Exit code:
0
Version:
1.22.0
Modules
Images
c:\users\admin\appdata\local\temp\vigembus_1.22.0_x64_x86_arm64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1480"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\DS4Windows_3.3.3_x64.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1492"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3876 --field-trial-handle=2256,i,14509576172337807212,1798319571791132805,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3860 --field-trial-handle=2400,i,2728690038254655585,11641915890720347488,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
85 319
Read events
83 800
Write events
1 428
Delete events
91

Modification events

(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\DS4Windows_3.3.3_x64.zip
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1480) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
683
Suspicious files
477
Text files
244
Unknown types
15

Dropped files

PID
Process
Filename
Type
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\DS4Windows.runtimeconfig.jsonbinary
MD5:D2E7AA8F1B739E4896F676105034AA3D
SHA256:37B4FBB913A102F13063829F827A5030168A2BA4CDF88593AEE1CA266309FC58
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\BezierCurveEditor\index.htmlhtml
MD5:B7F3E0AEC1E9905B2706285819AD8627
SHA256:FBD5E846237145AAA4B1D5275EAF95013A31D41E9CDAAAD032D583245DE54A7E
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\DotNetProjects.Wpf.Extended.Toolkit.dllexecutable
MD5:8983F161391AB632B9D2AEA51A69C4CE
SHA256:8038EEAA3483C1A751F04F5ACD1CBE5D01C772F9049D04E3BF0D07D04F5723BF
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\DS4Windows.deps.jsonbinary
MD5:A2A3BBF0765877CE03B5E3A3414D604A
SHA256:39915D00FBFB5CFB9CB6EFE36C26A620BCCB2BC1FB3675F8BF7931A9C2CA5180
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\BezierCurveEditor\build.jstext
MD5:61B6490D371C57D566AE713880F3AB40
SHA256:FCE907CF01187E1CA0AFB91341FB6D793A97D359918278A759AD03AB4DD71348
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\H.NotifyIcon.dllexecutable
MD5:A44681119866A16FD9A3461A839559A8
SHA256:2AFE988B67F36ABA97CAB8FDAFC522DF13C4399FC3A9D3DD521F38D25BF0461D
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\FakerInputWrapper.dllexecutable
MD5:25989CCC74DCF12A2216C196D8C94B9B
SHA256:4792671766A575394D3402A9365AF9908AF94E812EC1969BFE4975C0AB4F5430
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\Lang\ar\DS4Windows.resources.dllexecutable
MD5:A9B68E0C6A30FD6A12C6C2B463CB9711
SHA256:7C7B59283F43107CB7094FA534DB00EC4A2DD350DDE7B04CC14555BD4474E26C
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\DS4Updater.exeexecutable
MD5:E86B6BA53CA8462BAEAEE561AE187E9F
SHA256:622C770E622DAF9E08C06E203C982613EC9CC2CF73E0EFEE68461B7A2E7646A5
1480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\FakerInputDll.dllexecutable
MD5:7C87A11E5C2BBD4E2414C568EA4F4360
SHA256:7E3D67A3E6B4EF2ABA039A3B1E079ACDE3AD95E0286A87623949AD74607D1A50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
95
DNS requests
93
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7180
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6516
msedge.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1076
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1725569108&P2=404&P3=2&P4=L5bBsmpa71lB49o9lqgxWI0ZBUuhy8m342GdtCBM1oFziqUn3rtF9P2mTvoB7TgxyW%2bJ%2bfxGEyDNbaF7%2bCfvHg%3d%3d
unknown
whitelisted
1076
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1725569108&P2=404&P3=2&P4=L5bBsmpa71lB49o9lqgxWI0ZBUuhy8m342GdtCBM1oFziqUn3rtF9P2mTvoB7TgxyW%2bJ%2bfxGEyDNbaF7%2bCfvHg%3d%3d
unknown
whitelisted
1076
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1725569108&P2=404&P3=2&P4=L5bBsmpa71lB49o9lqgxWI0ZBUuhy8m342GdtCBM1oFziqUn3rtF9P2mTvoB7TgxyW%2bJ%2bfxGEyDNbaF7%2bCfvHg%3d%3d
unknown
whitelisted
1076
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1725569108&P2=404&P3=2&P4=L5bBsmpa71lB49o9lqgxWI0ZBUuhy8m342GdtCBM1oFziqUn3rtF9P2mTvoB7TgxyW%2bJ%2bfxGEyDNbaF7%2bCfvHg%3d%3d
unknown
whitelisted
1076
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1725569108&P2=404&P3=2&P4=L5bBsmpa71lB49o9lqgxWI0ZBUuhy8m342GdtCBM1oFziqUn3rtF9P2mTvoB7TgxyW%2bJ%2bfxGEyDNbaF7%2bCfvHg%3d%3d
unknown
whitelisted
1076
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1f36ed7-6fe0-4c29-bcf9-fa058cdd16db?P1=1725694864&P2=404&P3=2&P4=FUSb%2fyBIbtJKw6TWLwwf%2bUHuCvY%2bbHloxCombkd0yfKkcx0qJo0SuL96lP8DI3XQBBxVkW8AbcUeM5iis%2fiVjw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6440
svchost.exe
51.11.168.232:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6420
RUXIMICS.exe
51.11.168.232:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
51.11.168.232:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3424
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3424
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2628
msedge.exe
104.119.110.121:443
aka.ms
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.11.168.232
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
aka.ms
  • 104.119.110.121
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Process
Message
DS4Windows.exe
You must install .NET to run this application. App: C:\Users\admin\AppData\Local\Temp\Rar$EXa1480.13483\DS4Windows\DS4Windows.exe Architecture: x64 App host version: 8.0.0 .NET location: Not found Learn more: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DS4Windows_3.3.3_x64.zip