File name:

dxwebsetup.exe

Full analysis: https://app.any.run/tasks/0b5bf08d-95a9-42f8-bc2e-c3da5c7706f6
Verdict: Malicious activity
Analysis date: June 15, 2025, 14:49:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive, 3 sections
MD5:

880A353DC9AB4202F2CFBEC1CB37181D

SHA1:

0BAFEE10ED68194FB332D3B46F7D92C8AD962843

SHA256:

6B5C9CEC68C7F3C0BA98B8D0B335F1BE8EA4CD37FB02B4C81ECC1A95EF6D9578

SSDEEP:

6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • dxwebsetup.exe (PID: 6684)
      • dxwebsetup.exe (PID: 5712)

    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 5712)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

    • Starts a Microsoft application from unusual location

      • dxwebsetup.exe (PID: 6684)
      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

    • Executable content was dropped or overwritten

      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

  • INFO

    • The sample compiled with english language support

      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

    • Create files in a temporary directory

      • dxwebsetup.exe (PID: 5712)

    • Checks supported languages

      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

    • The sample compiled with chinese language support

      • dxwebsetup.exe (PID: 5712)
      • dxwsetup.exe (PID: 768)

    • Launching a file from a Registry key

      • dxwebsetup.exe (PID: 5712)

    • Reads the computer name

      • dxwsetup.exe (PID: 768)

    • Reads the software policy settings

      • slui.exe (PID: 5504)

    • Checks proxy server information

      • slui.exe (PID: 5504)

    • Manual execution by a user

      • rundll32.exe (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:18 01:42:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 34816
InitializedDataSize: 258048
UninitializedDataSize: -
EntryPoint: 0x5a5e
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.2600.0
ProductVersionNumber: 6.0.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: DirectX 9.0 Web setup
FileVersion: 9.28.1886.0
InternalName: DXWebSetup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: dxwebsetup.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 9.28.1886.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dxwebsetup.exe dxwsetup.exe rundll32.exe no specs slui.exe dxwebsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
768C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
dxwebsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX Setup
Version:
4.9.0.0904
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dxwsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2140rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5504C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5712"C:\Users\admin\Desktop\dxwebsetup.exe" C:\Users\admin\Desktop\dxwebsetup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX 9.0 Web setup
Version:
9.28.1886.0
Modules
Images
c:\users\admin\desktop\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6684"C:\Users\admin\Desktop\dxwebsetup.exe" C:\Users\admin\Desktop\dxwebsetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DirectX 9.0 Web setup
Exit code:
3221226540
Version:
9.28.1886.0
Modules
Images
c:\users\admin\desktop\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 564
Read events
3 563
Write events
1
Delete events
0

Modification events

(PID) Process:(5712) dxwebsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
Executable files
7
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5712dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
5712dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
5712dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeexecutable
MD5:A2772E5A8DF5DC3487E8516321ED29DA
SHA256:8FAC859DC73AB7A8C18F093C6A58ACCF3EE8F1B86A4BCFCE4C9E8A1253D2828F
768dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
5712dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.infini
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
768dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SET6B9B.tmpexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
768dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:F444AD44B5933A2495D7F105863D5957
SHA256:C094E40600D0E5D148B60DED9F963877953AA99B8697128FA18394AFDE3358D3
768dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SET6BAB.tmpexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
768dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
5712dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cifini
MD5:4BF39E4BB4A0595EF7A83CE93279F1DC
SHA256:32E1BD2E381F27D9815A5EE44F82B000DA3522E205E26991D2B490A527E62C30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
1268
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4172
RUXIMICS.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4172
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4172
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4172
RUXIMICS.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted

Threats

No threats detected
Process
Message
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dxwebsetup.exe