| File name: | dxwebsetup.exe |
| Full analysis: | https://app.any.run/tasks/88f831d8-c18b-4e32-b3d5-b05dcd8a79c2 |
| Verdict: | Malicious activity |
| Analysis date: | May 23, 2025, 16:42:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive, 3 sections |
| MD5: | 2CBD6AD183914A0C554F0739069E77D7 |
| SHA1: | 7BF35F2AFCA666078DB35CA95130BEB2E3782212 |
| SHA256: | 2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F |
| SSDEEP: | 6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0 |
MALICIOUS
Changes the autorun value in the registry
- dxwebsetup.exe (PID: 3784)
Executing a file with an untrusted certificate
- infinst.exe (PID: 7772)
- infinst.exe (PID: 1052)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7308)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 6072)
- infinst.exe (PID: 5668)
- infinst.exe (PID: 7780)
- infinst.exe (PID: 7664)
- infinst.exe (PID: 1764)
- infinst.exe (PID: 7052)
- infinst.exe (PID: 8184)
- infinst.exe (PID: 7104)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 2316)
- infinst.exe (PID: 2096)
- infinst.exe (PID: 8088)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 7376)
- infinst.exe (PID: 7320)
- infinst.exe (PID: 8056)
- infinst.exe (PID: 3828)
- infinst.exe (PID: 4424)
- infinst.exe (PID: 7204)
- infinst.exe (PID: 7880)
- infinst.exe (PID: 8124)
- infinst.exe (PID: 6184)
- infinst.exe (PID: 7916)
- infinst.exe (PID: 7436)
- infinst.exe (PID: 7460)
- infinst.exe (PID: 1096)
- infinst.exe (PID: 736)
- infinst.exe (PID: 7228)
- infinst.exe (PID: 1088)
- infinst.exe (PID: 7708)
- infinst.exe (PID: 6268)
- infinst.exe (PID: 7848)
- infinst.exe (PID: 3124)
- infinst.exe (PID: 7804)
- infinst.exe (PID: 896)
- infinst.exe (PID: 904)
- infinst.exe (PID: 5116)
- infinst.exe (PID: 4880)
- infinst.exe (PID: 5056)
- infinst.exe (PID: 6572)
- infinst.exe (PID: 7272)
- infinst.exe (PID: 6148)
- infinst.exe (PID: 4304)
- infinst.exe (PID: 4572)
- infinst.exe (PID: 2092)
- infinst.exe (PID: 6156)
- infinst.exe (PID: 5084)
- infinst.exe (PID: 5072)
- infinst.exe (PID: 3900)
- infinst.exe (PID: 5244)
- infinst.exe (PID: 7528)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7556)
- infinst.exe (PID: 2236)
- infinst.exe (PID: 2084)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 3012)
- infinst.exe (PID: 5324)
- infinst.exe (PID: 1004)
- infinst.exe (PID: 6384)
- infinst.exe (PID: 7672)
- infinst.exe (PID: 7764)
- infinst.exe (PID: 7728)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 5384)
- infinst.exe (PID: 7572)
- infinst.exe (PID: 3992)
Registers / Runs the DLL via REGSVR32.EXE
- dxwsetup.exe (PID: 7148)
SUSPICIOUS
Process drops legitimate windows executable
- dxwebsetup.exe (PID: 3784)
- dxwsetup.exe (PID: 7148)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7772)
- infinst.exe (PID: 1052)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 7308)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 6072)
- infinst.exe (PID: 7052)
- infinst.exe (PID: 7664)
- infinst.exe (PID: 1764)
- infinst.exe (PID: 5668)
- infinst.exe (PID: 7780)
- infinst.exe (PID: 7104)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 2316)
- infinst.exe (PID: 8184)
- infinst.exe (PID: 2096)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 7376)
- infinst.exe (PID: 8088)
- infinst.exe (PID: 7320)
- infinst.exe (PID: 8056)
- infinst.exe (PID: 3828)
- infinst.exe (PID: 4424)
- infinst.exe (PID: 7204)
- infinst.exe (PID: 8124)
- infinst.exe (PID: 7880)
- infinst.exe (PID: 7916)
- infinst.exe (PID: 6184)
- infinst.exe (PID: 7436)
- infinst.exe (PID: 7460)
- infinst.exe (PID: 736)
- infinst.exe (PID: 1088)
- infinst.exe (PID: 7228)
- infinst.exe (PID: 7708)
- infinst.exe (PID: 1096)
- infinst.exe (PID: 904)
- infinst.exe (PID: 7848)
- infinst.exe (PID: 3124)
- infinst.exe (PID: 7804)
- infinst.exe (PID: 6268)
- infinst.exe (PID: 896)
- infinst.exe (PID: 7272)
- infinst.exe (PID: 5116)
- infinst.exe (PID: 4880)
- infinst.exe (PID: 5056)
- infinst.exe (PID: 4304)
- infinst.exe (PID: 6148)
- infinst.exe (PID: 4572)
- infinst.exe (PID: 6572)
- infinst.exe (PID: 3900)
- infinst.exe (PID: 5244)
- infinst.exe (PID: 6156)
- infinst.exe (PID: 5084)
- infinst.exe (PID: 2092)
- infinst.exe (PID: 7528)
- infinst.exe (PID: 5072)
- infinst.exe (PID: 7556)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 2084)
- infinst.exe (PID: 5324)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 3012)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 6384)
- infinst.exe (PID: 7672)
- infinst.exe (PID: 2236)
- infinst.exe (PID: 1004)
- infinst.exe (PID: 7572)
- infinst.exe (PID: 7728)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 7764)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 5384)
Executable content was dropped or overwritten
- dxwebsetup.exe (PID: 3784)
- dxwsetup.exe (PID: 7148)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7772)
- infinst.exe (PID: 1052)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 6072)
- infinst.exe (PID: 7308)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 7664)
- infinst.exe (PID: 1764)
- infinst.exe (PID: 5668)
- infinst.exe (PID: 7052)
- infinst.exe (PID: 7780)
- infinst.exe (PID: 8184)
- infinst.exe (PID: 7104)
- infinst.exe (PID: 2316)
- infinst.exe (PID: 2096)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 7376)
- infinst.exe (PID: 8088)
- infinst.exe (PID: 7320)
- infinst.exe (PID: 8056)
- infinst.exe (PID: 4424)
- infinst.exe (PID: 3828)
- infinst.exe (PID: 7204)
- infinst.exe (PID: 8124)
- infinst.exe (PID: 7880)
- infinst.exe (PID: 7916)
- infinst.exe (PID: 6184)
- infinst.exe (PID: 7436)
- infinst.exe (PID: 7460)
- infinst.exe (PID: 1096)
- infinst.exe (PID: 736)
- infinst.exe (PID: 7228)
- infinst.exe (PID: 1088)
- infinst.exe (PID: 7708)
- infinst.exe (PID: 6268)
- infinst.exe (PID: 7848)
- infinst.exe (PID: 904)
- infinst.exe (PID: 3124)
- infinst.exe (PID: 7804)
- infinst.exe (PID: 5116)
- infinst.exe (PID: 4880)
- infinst.exe (PID: 5056)
- infinst.exe (PID: 896)
- infinst.exe (PID: 7272)
- infinst.exe (PID: 6572)
- infinst.exe (PID: 4304)
- infinst.exe (PID: 6148)
- infinst.exe (PID: 4572)
- infinst.exe (PID: 2092)
- infinst.exe (PID: 5244)
- infinst.exe (PID: 6156)
- infinst.exe (PID: 5084)
- infinst.exe (PID: 5072)
- infinst.exe (PID: 3900)
- infinst.exe (PID: 7556)
- infinst.exe (PID: 7528)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 3012)
- infinst.exe (PID: 5324)
- infinst.exe (PID: 2084)
- infinst.exe (PID: 1004)
- infinst.exe (PID: 6384)
- infinst.exe (PID: 2236)
- infinst.exe (PID: 7728)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 7764)
- infinst.exe (PID: 7672)
- infinst.exe (PID: 7572)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 5384)
Starts a Microsoft application from unusual location
- dxwebsetup.exe (PID: 5680)
- dxwsetup.exe (PID: 7148)
- dxwebsetup.exe (PID: 3784)
Reads security settings of Internet Explorer
- dxwsetup.exe (PID: 7148)
Executes as Windows Service
- VSSVC.exe (PID: 1012)
Searches for installed software
- dllhost.exe (PID: 2772)
Starts CMD.EXE for commands execution
- nv.exe (PID: 6900)
Identifying current user with WHOAMI command
- cmd.exe (PID: 6372)
INFO
The sample compiled with english language support
- dxwebsetup.exe (PID: 3784)
- dxwsetup.exe (PID: 7148)
- firefox.exe (PID: 5404)
- WinRAR.exe (PID: 7304)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 7772)
- infinst.exe (PID: 1052)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 6072)
- infinst.exe (PID: 7308)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 7780)
- infinst.exe (PID: 7664)
- infinst.exe (PID: 5668)
- infinst.exe (PID: 7052)
- infinst.exe (PID: 8184)
- infinst.exe (PID: 7104)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 2316)
- infinst.exe (PID: 1764)
- infinst.exe (PID: 2096)
- infinst.exe (PID: 3760)
- infinst.exe (PID: 7376)
- infinst.exe (PID: 8088)
- infinst.exe (PID: 7320)
- infinst.exe (PID: 4424)
- infinst.exe (PID: 7204)
- infinst.exe (PID: 8124)
- infinst.exe (PID: 7880)
- infinst.exe (PID: 8056)
- infinst.exe (PID: 3828)
- infinst.exe (PID: 7436)
- infinst.exe (PID: 7916)
- infinst.exe (PID: 6184)
- infinst.exe (PID: 7460)
- infinst.exe (PID: 1096)
- infinst.exe (PID: 736)
- infinst.exe (PID: 1088)
- infinst.exe (PID: 7708)
- infinst.exe (PID: 7228)
- infinst.exe (PID: 6268)
- infinst.exe (PID: 7848)
- infinst.exe (PID: 904)
- infinst.exe (PID: 3124)
- infinst.exe (PID: 7804)
- infinst.exe (PID: 896)
- infinst.exe (PID: 7272)
- infinst.exe (PID: 5116)
- infinst.exe (PID: 4880)
- infinst.exe (PID: 5056)
- infinst.exe (PID: 6572)
- infinst.exe (PID: 4304)
- infinst.exe (PID: 6148)
- infinst.exe (PID: 4572)
- infinst.exe (PID: 5244)
- infinst.exe (PID: 6156)
- infinst.exe (PID: 5084)
- infinst.exe (PID: 2092)
- infinst.exe (PID: 3900)
- infinst.exe (PID: 7556)
- infinst.exe (PID: 7528)
- infinst.exe (PID: 7580)
- infinst.exe (PID: 4228)
- infinst.exe (PID: 5072)
- infinst.exe (PID: 2084)
- infinst.exe (PID: 7240)
- infinst.exe (PID: 3012)
- infinst.exe (PID: 5324)
- infinst.exe (PID: 1004)
- infinst.exe (PID: 6384)
- infinst.exe (PID: 7672)
- infinst.exe (PID: 2236)
- infinst.exe (PID: 7728)
- infinst.exe (PID: 7100)
- infinst.exe (PID: 7764)
- infinst.exe (PID: 7572)
- infinst.exe (PID: 3992)
- infinst.exe (PID: 5384)
Create files in a temporary directory
- dxwebsetup.exe (PID: 3784)
- dxwsetup.exe (PID: 7148)
Checks supported languages
- dxwebsetup.exe (PID: 3784)
- dxwsetup.exe (PID: 7148)
Reads the computer name
- dxwsetup.exe (PID: 7148)
Checks proxy server information
- dxwsetup.exe (PID: 7148)
Creates files or folders in the user directory
- dxwsetup.exe (PID: 7148)
Reads the software policy settings
- dxwsetup.exe (PID: 7148)
- slui.exe (PID: 6272)
Reads the machine GUID from the registry
- dxwsetup.exe (PID: 7148)
Manual execution by a user
- firefox.exe (PID: 5228)
- WinRAR.exe (PID: 7304)
- nv.exe (PID: 8112)
- nv.exe (PID: 4040)
- nv.exe (PID: 5964)
- nv.exe (PID: 6900)
Application launched itself
- firefox.exe (PID: 5228)
- firefox.exe (PID: 5404)
Manages system restore points
- SrTasks.exe (PID: 8160)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 7304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2001:08:18 01:42:57+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 7 |
| CodeSize: | 34816 |
| InitializedDataSize: | 250368 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5a5e |
| OSVersion: | 5.1 |
| ImageVersion: | 5.1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.0.2600.0 |
| ProductVersionNumber: | 6.0.2600.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | DirectX 9.0 Web setup |
| FileVersion: | 9.29.1974.0 |
| InternalName: | DXWebSetup |
| LegalCopyright: | Copyright (c) Microsoft Corporation. All rights reserved. |
| OriginalFileName: | dxwebsetup.exe |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 9.29.1974.0 |
Total processes
270
Monitored processes
132
Malicious processes
77
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine3_0.dll | C:\Windows\System32\regsvr32.exe | — | dxwsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 736 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe XACT2_10_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 744 | C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine3_2.dll | C:\Windows\System32\regsvr32.exe | — | dxwsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\XAudio2_3.dll | C:\Windows\System32\regsvr32.exe | — | dxwsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 896 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe XACT3_1_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 904 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe XAudio2_0_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1004 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe XACT3_6_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1012 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1052 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe d3dx9_25_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1088 | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe d3dx10_37_x64.inf | C:\Users\admin\AppData\Local\Temp\DX64BE.tmp\infinst.exe | dxwsetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
31 721
Read events
31 383
Write events
318
Delete events
20
Modification events
| (PID) Process: | (3784) dxwebsetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | wextract_cleanup0 |
Value: rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" | |||
| (PID) Process: | (7148) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7148) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7148) dxwsetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7148) dxwsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 400000000000000067E519DB01CCDB01EC1B00006C050000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2772) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000004491CDB01CCDB01D40A000050140000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2772) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000C73866DB01CCDB01D40A000050140000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2772) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000C73866DB01CCDB01D40A000050140000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2772) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000930469DB01CCDB01D40A000050140000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2772) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000695B6DDB01CCDB01D40A000050140000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
658
Suspicious files
1 265
Text files
87
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3784 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll | executable | |
MD5:A5412A144F63D639B47FCC1BA68CB029 | SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6 | |||
| 3784 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll | executable | |
MD5:984CAD22FA542A08C5D22941B888D8DC | SHA256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308 | |||
| 3784 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif | text | |
MD5:7B1FBE9F5F43B2261234B78FE115CF8E | SHA256:762FF640013DB2BD4109D7DF43A867303093815751129BD1E33F16BF02E52CCE | |||
| 3784 | dxwebsetup.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf | text | |
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941 | SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00 | |||
| 7148 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\SETBBFF.tmp | executable | |
MD5:984CAD22FA542A08C5D22941B888D8DC | SHA256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308 | |||
| 7148 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | executable | |
MD5:984CAD22FA542A08C5D22941B888D8DC | SHA256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308 | |||
| 7148 | dxwsetup.exe | C:\Windows\Logs\DirectX.log | text | |
MD5:86D6D700E8C8983B581FD4F26D960143 | SHA256:1D1F6419A42575AEE15120F286110E566E4BF28A1DEEF3DB53C913E050399D2F | |||
| 7148 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\SETBC0F.tmp | executable | |
MD5:A5412A144F63D639B47FCC1BA68CB029 | SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6 | |||
| 7148 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | executable | |
MD5:A5412A144F63D639B47FCC1BA68CB029 | SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6 | |||
| 7148 | dxwsetup.exe | C:\Windows\SysWOW64\directx\websetup\filelist.dat | text | |
MD5:CC85D7649546D3C0B1607F761B73FEC2 | SHA256:E1C85577FEE77B7535AF5918DE16479D5B38F08D7AADBF1B3613D275C7797920 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
205
TCP/UDP connections
117
DNS requests
135
Threats
20
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x86.cab | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x64.cab | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7148 | dxwsetup.exe | GET | 302 | 2.18.160.223:80 | http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x86.cab | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7148 | dxwsetup.exe | 2.18.160.223:80 | download.microsoft.com | AKAMAI-AS | DE | whitelisted |
7148 | dxwsetup.exe | 2.18.160.223:443 | download.microsoft.com | AKAMAI-AS | DE | whitelisted |
7148 | dxwsetup.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
download.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz) |
5404 | firefox.exe | Misc activity | ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz) |
5404 | firefox.exe | Misc activity | ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz) |
5404 | firefox.exe | Misc activity | ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) |
2196 | svchost.exe | Misc activity | ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) |