File name:

dxwebsetup.exe

Full analysis: https://app.any.run/tasks/83486b87-72e5-4045-921f-899650e8f502
Verdict: Malicious activity
Analysis date: June 15, 2025, 14:48:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive, 3 sections
MD5:

880A353DC9AB4202F2CFBEC1CB37181D

SHA1:

0BAFEE10ED68194FB332D3B46F7D92C8AD962843

SHA256:

6B5C9CEC68C7F3C0BA98B8D0B335F1BE8EA4CD37FB02B4C81ECC1A95EF6D9578

SSDEEP:

6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • dxwebsetup.exe (PID: 6652)
      • dxwebsetup.exe (PID: 6704)

    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 6704)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • Starts a Microsoft application from unusual location

      • dxwebsetup.exe (PID: 6652)
      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • Reads security settings of Internet Explorer

      • dxwsetup.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

  • INFO

    • The sample compiled with english language support

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • Checks supported languages

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • Launching a file from a Registry key

      • dxwebsetup.exe (PID: 6704)

    • Reads the machine GUID from the registry

      • dxwsetup.exe (PID: 2716)

    • Reads the software policy settings

      • dxwsetup.exe (PID: 2716)

    • Create files in a temporary directory

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • The sample compiled with chinese language support

      • dxwebsetup.exe (PID: 6704)
      • dxwsetup.exe (PID: 2716)

    • Reads the computer name

      • dxwsetup.exe (PID: 2716)

    • Checks proxy server information

      • dxwsetup.exe (PID: 2716)

    • Creates files or folders in the user directory

      • dxwsetup.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:18 01:42:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 34816
InitializedDataSize: 258048
UninitializedDataSize: -
EntryPoint: 0x5a5e
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.2600.0
ProductVersionNumber: 6.0.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: DirectX 9.0 Web setup
FileVersion: 9.28.1886.0
InternalName: DXWebSetup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: dxwebsetup.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 9.28.1886.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start dxwebsetup.exe dxwsetup.exe slui.exe no specs dxwebsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2716C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
dxwebsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX Setup
Version:
4.9.0.0904
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dxwsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5184C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6652"C:\Users\admin\Desktop\dxwebsetup.exe" C:\Users\admin\Desktop\dxwebsetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DirectX 9.0 Web setup
Exit code:
3221226540
Version:
9.28.1886.0
Modules
Images
c:\users\admin\desktop\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6704"C:\Users\admin\Desktop\dxwebsetup.exe" C:\Users\admin\Desktop\dxwebsetup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX 9.0 Web setup
Version:
9.28.1886.0
Modules
Images
c:\users\admin\desktop\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
4 358
Read events
4 354
Write events
4
Delete events
0

Modification events

(PID) Process:(6704) dxwebsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(2716) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2716) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2716) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
331
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2716dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SET5A64.tmpexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
2716dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\filelist.dattext
MD5:CC85D7649546D3C0B1607F761B73FEC2
SHA256:E1C85577FEE77B7535AF5918DE16479D5B38F08D7AADBF1B3613D275C7797920
2716dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SET5A75.tmpexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
6704dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
6704dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeexecutable
MD5:A2772E5A8DF5DC3487E8516321ED29DA
SHA256:8FAC859DC73AB7A8C18F093C6A58ACCF3EE8F1B86A4BCFCE4C9E8A1253D2828F
2716dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:DD6C46BB7204EE356397F021F3BD9508
SHA256:C3AABE556AD64996104FAAF5D40475108E7D8AE3C73FB8F587C8CAA66EAD26DF
2716dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
2716dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
2716dxwsetup.exeC:\Windows\msdownld.tmp\AS176CF2.tmp\dxupdate.cabcompressed
MD5:4AFD7F5C0574A0EFD163740ECB142011
SHA256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
2716dxwsetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:B97FB6BB7FBA5C0949FC69E0EADB55D0
SHA256:BC4566C47164B5EEAFD95722C0816ADC1FEDF862105E0EC9872552D65027F642
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
28
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2716
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
unknown
whitelisted
2716
dxwsetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
2524
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2716
dxwsetup.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2716
dxwsetup.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2716
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x86.cab
unknown
whitelisted
2716
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x64.cab
unknown
whitelisted
2716
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x86.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6356
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2716
dxwsetup.exe
2.18.160.223:80
download.microsoft.com
AKAMAI-AS
DE
whitelisted
2716
dxwsetup.exe
2.18.160.223:443
download.microsoft.com
AKAMAI-AS
DE
whitelisted
2716
dxwsetup.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2716
dxwsetup.exe
184.24.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2716
dxwsetup.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
download.microsoft.com
  • 2.18.160.223
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 184.24.77.6
  • 184.24.77.12
  • 184.24.77.37
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.131
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.130
  • 40.126.31.67
  • 40.126.31.130
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

No threats detected
Process
Message
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dxwebsetup.exe