File name:

DirectX Web setup.exe

Full analysis: https://app.any.run/tasks/978838a4-afb2-42b3-aeb8-33b075a5cb85
Verdict: Malicious activity
Analysis date: April 10, 2025, 09:08:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive, 3 sections
MD5:

880A353DC9AB4202F2CFBEC1CB37181D

SHA1:

0BAFEE10ED68194FB332D3B46F7D92C8AD962843

SHA256:

6B5C9CEC68C7F3C0BA98B8D0B335F1BE8EA4CD37FB02B4C81ECC1A95EF6D9578

SSDEEP:

6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • DirectX Web setup.exe (PID: 7300)
      • DirectX Web setup.exe (PID: 7388)

    • Changes the autorun value in the registry

      • DirectX Web setup.exe (PID: 7388)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • dxwsetup.exe (PID: 7424)
      • DirectX Web setup.exe (PID: 7388)
      • DirectX Web setup.exe (PID: 7300)

    • Executable content was dropped or overwritten

      • dxwsetup.exe (PID: 7424)
      • DirectX Web setup.exe (PID: 7388)

    • Process drops legitimate windows executable

      • DirectX Web setup.exe (PID: 7388)
      • dxwsetup.exe (PID: 7424)

    • Reads security settings of Internet Explorer

      • dxwsetup.exe (PID: 7424)

  • INFO

    • The sample compiled with english language support

      • DirectX Web setup.exe (PID: 7388)
      • dxwsetup.exe (PID: 7424)

    • Create files in a temporary directory

      • DirectX Web setup.exe (PID: 7388)
      • dxwsetup.exe (PID: 7424)

    • Checks supported languages

      • DirectX Web setup.exe (PID: 7388)
      • dxwsetup.exe (PID: 7424)

    • The sample compiled with chinese language support

      • DirectX Web setup.exe (PID: 7388)
      • dxwsetup.exe (PID: 7424)

    • Creates files or folders in the user directory

      • dxwsetup.exe (PID: 7424)

    • Reads the computer name

      • dxwsetup.exe (PID: 7424)

    • Checks proxy server information

      • dxwsetup.exe (PID: 7424)

    • Reads the software policy settings

      • dxwsetup.exe (PID: 7424)

    • Reads the machine GUID from the registry

      • dxwsetup.exe (PID: 7424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:18 01:42:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 34816
InitializedDataSize: 258048
UninitializedDataSize: -
EntryPoint: 0x5a5e
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.2600.0
ProductVersionNumber: 6.0.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: DirectX 9.0 Web setup
FileVersion: 9.28.1886.0
InternalName: DXWebSetup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: dxwebsetup.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 9.28.1886.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start directx web setup.exe dxwsetup.exe sppextcomobj.exe no specs slui.exe no specs directx web setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7300"C:\Users\admin\AppData\Local\Temp\DirectX Web setup.exe" C:\Users\admin\AppData\Local\Temp\DirectX Web setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DirectX 9.0 Web setup
Exit code:
3221226540
Version:
9.28.1886.0
Modules
Images
c:\users\admin\appdata\local\temp\directx web setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7388"C:\Users\admin\AppData\Local\Temp\DirectX Web setup.exe" C:\Users\admin\AppData\Local\Temp\DirectX Web setup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX 9.0 Web setup
Version:
9.28.1886.0
Modules
Images
c:\users\admin\appdata\local\temp\directx web setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7424C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
DirectX Web setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX Setup
Version:
4.9.0.0904
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dxwsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7560C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7592"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 812
Read events
3 808
Write events
4
Delete events
0

Modification events

(PID) Process:(7388) DirectX Web setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(7424) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7424) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7424) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
65
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7424dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
7388DirectX Web setup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.ciftext
MD5:4BF39E4BB4A0595EF7A83CE93279F1DC
SHA256:32E1BD2E381F27D9815A5EE44F82B000DA3522E205E26991D2B490A527E62C30
7424dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:B57BCF5891C6097E02C5233EDBEE7998
SHA256:A10D8E860192FAC5A0753034AAEB5F05E6EEF9507BD071AD215E4BF148F140F7
7388DirectX Web setup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
7424dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SETC814.tmpexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
7388DirectX Web setup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
7388DirectX Web setup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inftext
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
7388DirectX Web setup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeexecutable
MD5:A2772E5A8DF5DC3487E8516321ED29DA
SHA256:8FAC859DC73AB7A8C18F093C6A58ACCF3EE8F1B86A4BCFCE4C9E8A1253D2828F
7424dxwsetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:2AE29DC08C558E80ED19C7D835622D81
SHA256:2EE5A79034E5625C6D2B4AEB8AC7B301B7DAD3DE20D14CDD74D413D65527556F
7424dxwsetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:6CEE24D9776D95B95991D28267C619D1
SHA256:8FC8D9F52FBB8EBC10849B7DA2FF45091D1C429387973D740189C4CBBFBA763A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
23
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8024
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8024
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7424
dxwsetup.exe
GET
302
23.32.97.192:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
unknown
whitelisted
7424
dxwsetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7424
dxwsetup.exe
GET
302
23.32.97.192:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x64.cab
unknown
whitelisted
7424
dxwsetup.exe
GET
302
23.32.97.192:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_d3dx10_00_x86.cab
unknown
whitelisted
7424
dxwsetup.exe
GET
302
23.32.97.192:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_d3dx10_00_x64.cab
unknown
whitelisted
7424
dxwsetup.exe
GET
302
23.32.97.192:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2007_xinput_x86.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6392
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.128
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
download.microsoft.com
  • 23.32.97.192
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DirectX Web setup.exe