| File name: | epicgamesinstaller.exe |
| Full analysis: | https://app.any.run/tasks/1a18d71c-0210-40fd-be51-accccf766a69 |
| Verdict: | Malicious activity |
| Analysis date: | June 21, 2025, 18:02:21 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 3 sections |
| MD5: | C092C97477E421B855067114337E4CFA |
| SHA1: | 0B9FF3CC63C0BD36E8F584268C4DA87672BFC724 |
| SHA256: | 1ABDC3A18B66F9DDBA772E774A1DDCBB1F4A159B3F45D80288133DC1871D2C52 |
| SSDEEP: | 24576:odUzqkKzGBi1pCO4IwdQZc6QUzt2xKQai1QKZR+8UPTRBmBPV+tMGGIF8t2:odUzq9zGBi1pCTIwdcc6QUzt2xKBi1BS |
MALICIOUS
Changes the autorun value in the registry
- dxwebsetup.exe (PID: 6128)
Executing a file with an untrusted certificate
- infinst.exe (PID: 5896)
- infinst.exe (PID: 6768)
- infinst.exe (PID: 2520)
- infinst.exe (PID: 5416)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2708)
- infinst.exe (PID: 5744)
- infinst.exe (PID: 1036)
- infinst.exe (PID: 6808)
- infinst.exe (PID: 3112)
- infinst.exe (PID: 2044)
- infinst.exe (PID: 6688)
- infinst.exe (PID: 6612)
- infinst.exe (PID: 5564)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4844)
- infinst.exe (PID: 4104)
- infinst.exe (PID: 4112)
- infinst.exe (PID: 4932)
- infinst.exe (PID: 6104)
- infinst.exe (PID: 1208)
- infinst.exe (PID: 7128)
- infinst.exe (PID: 6360)
- infinst.exe (PID: 7092)
- infinst.exe (PID: 5168)
- infinst.exe (PID: 6152)
- infinst.exe (PID: 4460)
- infinst.exe (PID: 4020)
- infinst.exe (PID: 1760)
- infinst.exe (PID: 4920)
- infinst.exe (PID: 7140)
- infinst.exe (PID: 7164)
- infinst.exe (PID: 1080)
- infinst.exe (PID: 2028)
- infinst.exe (PID: 516)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 3520)
- infinst.exe (PID: 6852)
- infinst.exe (PID: 5724)
- infinst.exe (PID: 1496)
- infinst.exe (PID: 5556)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2120)
- infinst.exe (PID: 5496)
- infinst.exe (PID: 504)
- infinst.exe (PID: 420)
- infinst.exe (PID: 4456)
- infinst.exe (PID: 4888)
- infinst.exe (PID: 6684)
- infinst.exe (PID: 1720)
- infinst.exe (PID: 3400)
- infinst.exe (PID: 1740)
- infinst.exe (PID: 4752)
- infinst.exe (PID: 432)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 2952)
- infinst.exe (PID: 436)
- infinst.exe (PID: 4172)
- infinst.exe (PID: 4232)
- infinst.exe (PID: 4796)
- infinst.exe (PID: 5028)
- infinst.exe (PID: 6892)
- infinst.exe (PID: 5284)
- infinst.exe (PID: 236)
- infinst.exe (PID: 4708)
- infinst.exe (PID: 4764)
- infinst.exe (PID: 3676)
- infinst.exe (PID: 4312)
- infinst.exe (PID: 2800)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 6308)
- infinst.exe (PID: 5776)
Registers / Runs the DLL via REGSVR32.EXE
- dxwsetup.exe (PID: 3100)
SUSPICIOUS
Starts a Microsoft application from unusual location
- dxwebsetup.exe (PID: 6128)
- dxwebsetup.exe (PID: 4312)
- dxwsetup.exe (PID: 3100)
Executable content was dropped or overwritten
- dxwebsetup.exe (PID: 6128)
- dxwsetup.exe (PID: 3100)
- infinst.exe (PID: 5896)
- infinst.exe (PID: 6768)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 2520)
- infinst.exe (PID: 5416)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2708)
- infinst.exe (PID: 5744)
- infinst.exe (PID: 1036)
- infinst.exe (PID: 4112)
- infinst.exe (PID: 6808)
- infinst.exe (PID: 2044)
- infinst.exe (PID: 3112)
- infinst.exe (PID: 6612)
- infinst.exe (PID: 5564)
- infinst.exe (PID: 6688)
- infinst.exe (PID: 4932)
- infinst.exe (PID: 4104)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4844)
- infinst.exe (PID: 6104)
- infinst.exe (PID: 1208)
- infinst.exe (PID: 7128)
- infinst.exe (PID: 6360)
- infinst.exe (PID: 7092)
- infinst.exe (PID: 5168)
- infinst.exe (PID: 6152)
- infinst.exe (PID: 4460)
- infinst.exe (PID: 4020)
- infinst.exe (PID: 4456)
- infinst.exe (PID: 1760)
- infinst.exe (PID: 4920)
- infinst.exe (PID: 7140)
- infinst.exe (PID: 7164)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 1080)
- infinst.exe (PID: 2028)
- infinst.exe (PID: 516)
- infinst.exe (PID: 3520)
- infinst.exe (PID: 6852)
- infinst.exe (PID: 1496)
- infinst.exe (PID: 5556)
- infinst.exe (PID: 5724)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2120)
- infinst.exe (PID: 5496)
- infinst.exe (PID: 504)
- infinst.exe (PID: 420)
- infinst.exe (PID: 4888)
- infinst.exe (PID: 6684)
- infinst.exe (PID: 4752)
- infinst.exe (PID: 3400)
- infinst.exe (PID: 1740)
- infinst.exe (PID: 1720)
- infinst.exe (PID: 2952)
- infinst.exe (PID: 432)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 436)
- infinst.exe (PID: 4172)
- infinst.exe (PID: 4796)
- infinst.exe (PID: 6892)
- infinst.exe (PID: 4232)
- infinst.exe (PID: 5028)
- infinst.exe (PID: 236)
- infinst.exe (PID: 5284)
- infinst.exe (PID: 4708)
- infinst.exe (PID: 4764)
- infinst.exe (PID: 3676)
- infinst.exe (PID: 2800)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 6308)
- infinst.exe (PID: 5776)
- infinst.exe (PID: 4312)
- epicgamesinstaller.exe (PID: 6832)
Process drops legitimate windows executable
- dxwebsetup.exe (PID: 6128)
- dxwsetup.exe (PID: 3100)
- infinst.exe (PID: 5896)
- infinst.exe (PID: 6768)
- infinst.exe (PID: 2520)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 5416)
- infinst.exe (PID: 2708)
- infinst.exe (PID: 5744)
- infinst.exe (PID: 1036)
- infinst.exe (PID: 4112)
- infinst.exe (PID: 6808)
- infinst.exe (PID: 2044)
- infinst.exe (PID: 3112)
- infinst.exe (PID: 6688)
- infinst.exe (PID: 6612)
- infinst.exe (PID: 5564)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4104)
- infinst.exe (PID: 4932)
- infinst.exe (PID: 4844)
- infinst.exe (PID: 6104)
- infinst.exe (PID: 1208)
- infinst.exe (PID: 7128)
- infinst.exe (PID: 7092)
- infinst.exe (PID: 6360)
- infinst.exe (PID: 5168)
- infinst.exe (PID: 6152)
- infinst.exe (PID: 4460)
- infinst.exe (PID: 4020)
- infinst.exe (PID: 4920)
- infinst.exe (PID: 7140)
- infinst.exe (PID: 7164)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 1080)
- infinst.exe (PID: 2028)
- infinst.exe (PID: 516)
- infinst.exe (PID: 3520)
- infinst.exe (PID: 6852)
- infinst.exe (PID: 5724)
- infinst.exe (PID: 1496)
- infinst.exe (PID: 5556)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2120)
- infinst.exe (PID: 1760)
- infinst.exe (PID: 4456)
- infinst.exe (PID: 504)
- infinst.exe (PID: 420)
- infinst.exe (PID: 5496)
- infinst.exe (PID: 6684)
- infinst.exe (PID: 4888)
- infinst.exe (PID: 3400)
- infinst.exe (PID: 1720)
- infinst.exe (PID: 4752)
- infinst.exe (PID: 2952)
- infinst.exe (PID: 432)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 1740)
- infinst.exe (PID: 4796)
- infinst.exe (PID: 436)
- infinst.exe (PID: 4172)
- infinst.exe (PID: 4232)
- infinst.exe (PID: 5028)
- infinst.exe (PID: 236)
- infinst.exe (PID: 6892)
- infinst.exe (PID: 5284)
- infinst.exe (PID: 2800)
- infinst.exe (PID: 4764)
- infinst.exe (PID: 3676)
- infinst.exe (PID: 4708)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 6308)
- infinst.exe (PID: 4312)
- infinst.exe (PID: 5776)
Executes as Windows Service
- VSSVC.exe (PID: 2148)
Reads security settings of Internet Explorer
- dxwsetup.exe (PID: 3100)
Searches for installed software
- dllhost.exe (PID: 3000)
Write to the desktop.ini file (may be used to cloak folders)
- dxwsetup.exe (PID: 3100)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 1576)
- regsvr32.exe (PID: 2728)
- dxwsetup.exe (PID: 3100)
- regsvr32.exe (PID: 4236)
- regsvr32.exe (PID: 4752)
- regsvr32.exe (PID: 6148)
- regsvr32.exe (PID: 756)
- regsvr32.exe (PID: 5352)
- regsvr32.exe (PID: 4072)
- regsvr32.exe (PID: 5768)
- regsvr32.exe (PID: 4164)
- regsvr32.exe (PID: 6704)
- regsvr32.exe (PID: 6164)
- regsvr32.exe (PID: 4864)
- regsvr32.exe (PID: 4824)
- regsvr32.exe (PID: 1056)
- regsvr32.exe (PID: 6260)
- regsvr32.exe (PID: 6392)
- regsvr32.exe (PID: 4112)
- regsvr32.exe (PID: 6808)
- regsvr32.exe (PID: 7020)
- regsvr32.exe (PID: 7004)
- regsvr32.exe (PID: 1232)
- regsvr32.exe (PID: 6160)
- regsvr32.exe (PID: 7160)
- regsvr32.exe (PID: 1728)
- regsvr32.exe (PID: 1632)
- regsvr32.exe (PID: 2304)
Starts CMD.EXE for commands execution
- epicgamesinstaller.exe (PID: 6832)
INFO
Manual execution by a user
- dxwebsetup.exe (PID: 4312)
- dxwebsetup.exe (PID: 6128)
- WINWORD.EXE (PID: 3768)
- epicgamesinstaller.exe (PID: 6832)
Checks supported languages
- dxwebsetup.exe (PID: 6128)
- dxwsetup.exe (PID: 3100)
- infinst.exe (PID: 5896)
- infinst.exe (PID: 6768)
- infinst.exe (PID: 2520)
- infinst.exe (PID: 5416)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2708)
- infinst.exe (PID: 5744)
- infinst.exe (PID: 1036)
- infinst.exe (PID: 6808)
- infinst.exe (PID: 3112)
- infinst.exe (PID: 2044)
- infinst.exe (PID: 6688)
- infinst.exe (PID: 6612)
- infinst.exe (PID: 5564)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4112)
- infinst.exe (PID: 4844)
- infinst.exe (PID: 6104)
- infinst.exe (PID: 1208)
- infinst.exe (PID: 7128)
- infinst.exe (PID: 6360)
- infinst.exe (PID: 7092)
- infinst.exe (PID: 5168)
- infinst.exe (PID: 6152)
- infinst.exe (PID: 4460)
- infinst.exe (PID: 4020)
- infinst.exe (PID: 1760)
- infinst.exe (PID: 4932)
- infinst.exe (PID: 4104)
- infinst.exe (PID: 4920)
- infinst.exe (PID: 7140)
- infinst.exe (PID: 7164)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 1080)
- infinst.exe (PID: 2028)
- infinst.exe (PID: 516)
- infinst.exe (PID: 3520)
- infinst.exe (PID: 6852)
- infinst.exe (PID: 5724)
- infinst.exe (PID: 5556)
- infinst.exe (PID: 1496)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2120)
- infinst.exe (PID: 5496)
- infinst.exe (PID: 504)
- infinst.exe (PID: 420)
- infinst.exe (PID: 4888)
- infinst.exe (PID: 6684)
- infinst.exe (PID: 4456)
- infinst.exe (PID: 3400)
- infinst.exe (PID: 1740)
- infinst.exe (PID: 4752)
- infinst.exe (PID: 1720)
- infinst.exe (PID: 432)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 2952)
- infinst.exe (PID: 436)
- infinst.exe (PID: 4172)
- infinst.exe (PID: 4232)
- infinst.exe (PID: 4796)
- infinst.exe (PID: 5028)
- infinst.exe (PID: 6892)
- infinst.exe (PID: 4708)
- infinst.exe (PID: 5284)
- infinst.exe (PID: 236)
- infinst.exe (PID: 2800)
- infinst.exe (PID: 4764)
- infinst.exe (PID: 3676)
- infinst.exe (PID: 4312)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 6308)
- infinst.exe (PID: 5776)
- epicgamesinstaller.exe (PID: 6832)
UPX packer has been detected
- epicgamesinstaller.exe (PID: 4676)
Create files in a temporary directory
- dxwebsetup.exe (PID: 6128)
- dxwsetup.exe (PID: 3100)
The sample compiled with english language support
- dxwebsetup.exe (PID: 6128)
- dxwsetup.exe (PID: 3100)
- infinst.exe (PID: 5896)
- infinst.exe (PID: 6768)
- infinst.exe (PID: 5416)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 2520)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 2708)
- infinst.exe (PID: 5744)
- infinst.exe (PID: 1036)
- infinst.exe (PID: 4112)
- infinst.exe (PID: 6808)
- infinst.exe (PID: 2044)
- infinst.exe (PID: 3112)
- infinst.exe (PID: 6688)
- infinst.exe (PID: 6612)
- infinst.exe (PID: 5564)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4932)
- infinst.exe (PID: 4844)
- infinst.exe (PID: 6104)
- infinst.exe (PID: 1208)
- infinst.exe (PID: 6360)
- infinst.exe (PID: 7128)
- infinst.exe (PID: 7092)
- infinst.exe (PID: 5168)
- infinst.exe (PID: 6152)
- infinst.exe (PID: 4460)
- infinst.exe (PID: 4020)
- infinst.exe (PID: 4456)
- infinst.exe (PID: 4104)
- infinst.exe (PID: 1760)
- infinst.exe (PID: 4920)
- infinst.exe (PID: 7140)
- infinst.exe (PID: 7164)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 1080)
- infinst.exe (PID: 2028)
- infinst.exe (PID: 516)
- infinst.exe (PID: 3520)
- infinst.exe (PID: 6852)
- infinst.exe (PID: 1496)
- infinst.exe (PID: 5556)
- infinst.exe (PID: 5724)
- infinst.exe (PID: 1128)
- infinst.exe (PID: 5124)
- infinst.exe (PID: 5496)
- infinst.exe (PID: 504)
- infinst.exe (PID: 2120)
- infinst.exe (PID: 6684)
- infinst.exe (PID: 420)
- infinst.exe (PID: 4888)
- infinst.exe (PID: 4752)
- infinst.exe (PID: 3400)
- infinst.exe (PID: 1740)
- infinst.exe (PID: 1720)
- infinst.exe (PID: 2952)
- infinst.exe (PID: 432)
- infinst.exe (PID: 6596)
- infinst.exe (PID: 4172)
- infinst.exe (PID: 4796)
- infinst.exe (PID: 436)
- infinst.exe (PID: 5028)
- infinst.exe (PID: 4232)
- infinst.exe (PID: 6892)
- infinst.exe (PID: 5284)
- infinst.exe (PID: 236)
- infinst.exe (PID: 2800)
- infinst.exe (PID: 3676)
- infinst.exe (PID: 4708)
- infinst.exe (PID: 4764)
- infinst.exe (PID: 4312)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 6308)
- infinst.exe (PID: 5776)
Launching a file from a Registry key
- dxwebsetup.exe (PID: 6128)
Reads the software policy settings
- dxwsetup.exe (PID: 3100)
- slui.exe (PID: 2348)
Creates files or folders in the user directory
- dxwsetup.exe (PID: 3100)
Checks proxy server information
- slui.exe (PID: 2348)
- dxwsetup.exe (PID: 3100)
Manages system restore points
- SrTasks.exe (PID: 4700)
Reads the computer name
- dxwsetup.exe (PID: 3100)
Reads the machine GUID from the registry
- dxwsetup.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (47) |
|---|---|---|
| .exe | | | UPX compressed Win32 Executable (46.1) |
| .exe | | | Generic Win/DOS Executable (3.4) |
| .exe | | | DOS Executable Generic (3.4) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2023:03:11 14:46:52+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.35 |
| CodeSize: | 585728 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 884736 |
| EntryPoint: | 0x166c90 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
270
Monitored processes
118
Malicious processes
77
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe XACT3_6_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 420 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe XACT3_3_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 432 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe d3dx10_41_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 436 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe d3dx11_42_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 504 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe X3DAudio1_5_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 516 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe XAudio2_0_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 756 | C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine2_5.dll | C:\Windows\System32\regsvr32.exe | — | dxwsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 856 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1036 | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe XACT2_1_x64.inf | C:\Users\admin\AppData\Local\Temp\DX69EC.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1056 | C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\XAudio2_1.dll | C:\Windows\System32\regsvr32.exe | — | dxwsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
23 461
Read events
22 866
Write events
551
Delete events
44
Modification events
| (PID) Process: | (6128) dxwebsetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | wextract_cleanup0 |
Value: rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" | |||
| (PID) Process: | (3100) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3100) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3100) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3000) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000081A27EFD6E2DB01B80B000038130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3100) dxwsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000081A27EFD6E2DB011C0C0000240E0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3000) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000569E43EFD6E2DB01B80B000038130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3000) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000125248EFD6E2DB01B80B000038130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3000) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000D3D47CEFD6E2DB01B80B000078190000E80300000100000000000000000000009460B82CACBCE54AB684B280CC790F5700000000000000000000000000000000 | |||
| (PID) Process: | (2148) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000000BEC83EFD6E2DB0164080000E0150000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
657
Suspicious files
1 088
Text files
56
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6128 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif | text | |
MD5:7B1FBE9F5F43B2261234B78FE115CF8E | SHA256:762FF640013DB2BD4109D7DF43A867303093815751129BD1E33F16BF02E52CCE | |||
| 3100 | dxwsetup.exe | C:\Windows\Logs\DirectX.log | text | |
MD5:824F9BB3F520C2D98D5DF7171346803A | SHA256:485FAD232EE4ED5CFC9DE8D995249084132A70F1F0FF5BC19A7C112E0E213FBA | |||
| 6128 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf | text | |
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941 | SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00 | |||
| 3100 | dxwsetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956 | binary | |
MD5:BEACC752BD8BB4BED5989902DC79BCA3 | SHA256:6E4F3A205619E41164F51EA19DC3824091A496829A7DF1D728017C97557E4622 | |||
| 3100 | dxwsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\DXIDFB1.tmp | text | |
MD5:2C4D9E4773084F33092CED15678A2C46 | SHA256:ED710D035CCAAB0914810BECF2F5DB2816DBA3A351F3666A38A903C80C16997A | |||
| 3100 | dxwsetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:0F7B8F6A846AA9CA52FA562DDDCDB5ED | SHA256:AFF90E65A81289B80D1FCC5E71B3D88E5D1AAFE22CE358EB6E28A56D1845263D | |||
| 3100 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\dxupdate.cab | compressed | |
MD5:4AFD7F5C0574A0EFD163740ECB142011 | SHA256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2 | |||
| 3100 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\SETD11C.tmp | executable | |
MD5:A5412A144F63D639B47FCC1BA68CB029 | SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6 | |||
| 3100 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\filelist.dat | text | |
MD5:CC85D7649546D3C0B1607F761B73FEC2 | SHA256:E1C85577FEE77B7535AF5918DE16479D5B38F08D7AADBF1B3613D275C7797920 | |||
| 3100 | dxwsetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:638C4B45B770AE6D426477DFB5B2597C | SHA256:6EA1BC3F6A882D0BB1F725FC35493A604AB285AD92E3D904875F084158DEF9AA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
55
DNS requests
40
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5848 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x86.cab | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5328 | SearchApp.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 184.24.77.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x86.cab | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_d3dx10_00_x86.cab | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2007_xinput_x64.cab | unknown | — | — | whitelisted |
3100 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_d3dx10_00_x64.cab | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5116 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 184.24.77.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5328 | SearchApp.exe | 2.16.204.156:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5328 | SearchApp.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
fp.msedge.net |
| whitelisted |
ln-ring.msedge.net |
| whitelisted |
spo-ring.msedge.net |
| whitelisted |
44d8a2d869593b5774f9328b5e1f65a9.azr.footprintdns.com |
| whitelisted |
Threats
Process | Message |
|---|---|
dxwsetup.exe | Invalid parameter passed to C runtime function.
|
dxwsetup.exe | DLL_PROCESS_ATTACH |
dxwsetup.exe | Invalid parameter passed to C runtime function.
|
dxwsetup.exe | DLL_PROCESS_ATTACH |
dxwsetup.exe | DLL_PROCESS_DETACH |
dxwsetup.exe | DLL_PROCESS_DETACH |
dxwsetup.exe | DLL_PROCESS_ATTACH |
dxwsetup.exe | DLL_PROCESS_ATTACH |
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|