File name:

dxwebsetup.exe

Full analysis: https://app.any.run/tasks/f94f46b2-6e6e-4287-a3a5-b0f0057e8eab
Verdict: Malicious activity
Analysis date: June 15, 2025, 14:50:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive, 3 sections
MD5:

880A353DC9AB4202F2CFBEC1CB37181D

SHA1:

0BAFEE10ED68194FB332D3B46F7D92C8AD962843

SHA256:

6B5C9CEC68C7F3C0BA98B8D0B335F1BE8EA4CD37FB02B4C81ECC1A95EF6D9578

SSDEEP:

6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • dxwebsetup.exe (PID: 3884)
      • dxwebsetup.exe (PID: 6428)
      • infinst.exe (PID: 4688)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 1728)
      • infinst.exe (PID: 7032)
      • infinst.exe (PID: 6188)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 6148)
      • infinst.exe (PID: 4012)
      • infinst.exe (PID: 5124)
      • infinst.exe (PID: 2596)
      • infinst.exe (PID: 4860)
      • infinst.exe (PID: 5744)
      • infinst.exe (PID: 1932)
      • infinst.exe (PID: 3092)
      • infinst.exe (PID: 5468)
      • infinst.exe (PID: 3000)
      • infinst.exe (PID: 888)
      • infinst.exe (PID: 2072)
      • infinst.exe (PID: 2032)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 5692)
      • infinst.exe (PID: 4460)
      • infinst.exe (PID: 5708)
      • infinst.exe (PID: 4796)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3968)
      • infinst.exe (PID: 4308)
      • infinst.exe (PID: 6688)
      • infinst.exe (PID: 1508)
      • infinst.exe (PID: 5496)
      • infinst.exe (PID: 2512)
      • infinst.exe (PID: 5252)
      • infinst.exe (PID: 4188)
      • infinst.exe (PID: 2188)
      • infinst.exe (PID: 3148)
      • infinst.exe (PID: 4892)
      • infinst.exe (PID: 1576)
      • infinst.exe (PID: 3620)
      • infinst.exe (PID: 2532)
      • infinst.exe (PID: 4708)
      • infinst.exe (PID: 3752)
      • infinst.exe (PID: 3480)
      • infinst.exe (PID: 6140)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 6808)
      • infinst.exe (PID: 6176)
      • infinst.exe (PID: 4884)
      • infinst.exe (PID: 6380)
      • infinst.exe (PID: 4456)
      • infinst.exe (PID: 4752)
      • infinst.exe (PID: 1520)
      • infinst.exe (PID: 4836)
      • infinst.exe (PID: 5780)
      • infinst.exe (PID: 5460)
      • infinst.exe (PID: 6656)
      • infinst.exe (PID: 2028)
      • infinst.exe (PID: 6336)
      • infinst.exe (PID: 3976)
      • infinst.exe (PID: 3644)
      • infinst.exe (PID: 7128)
      • infinst.exe (PID: 2792)
      • infinst.exe (PID: 2804)
      • infinst.exe (PID: 6376)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3864)
      • infinst.exe (PID: 3656)
      • infinst.exe (PID: 2464)
      • infinst.exe (PID: 2972)
      • infinst.exe (PID: 4748)
      • infinst.exe (PID: 5220)
      • infinst.exe (PID: 6012)
      • infinst.exe (PID: 4648)

    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 6428)

    • Registers / Runs the DLL via REGSVR32.EXE

      • dxwsetup.exe (PID: 1720)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • dxwebsetup.exe (PID: 6428)
      • infinst.exe (PID: 4688)
      • dxwsetup.exe (PID: 1720)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 1728)
      • infinst.exe (PID: 7032)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 6148)
      • infinst.exe (PID: 2596)
      • infinst.exe (PID: 4012)
      • infinst.exe (PID: 6188)
      • infinst.exe (PID: 1932)
      • infinst.exe (PID: 4860)
      • infinst.exe (PID: 5744)
      • infinst.exe (PID: 3092)
      • infinst.exe (PID: 5124)
      • infinst.exe (PID: 5468)
      • infinst.exe (PID: 888)
      • infinst.exe (PID: 3000)
      • infinst.exe (PID: 2072)
      • infinst.exe (PID: 2032)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 5692)
      • infinst.exe (PID: 3968)
      • infinst.exe (PID: 4460)
      • infinst.exe (PID: 5708)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 4308)
      • infinst.exe (PID: 6688)
      • infinst.exe (PID: 5496)
      • infinst.exe (PID: 4796)
      • infinst.exe (PID: 1508)
      • infinst.exe (PID: 3148)
      • infinst.exe (PID: 2512)
      • infinst.exe (PID: 2188)
      • infinst.exe (PID: 4188)
      • infinst.exe (PID: 4892)
      • infinst.exe (PID: 1576)
      • infinst.exe (PID: 4708)
      • infinst.exe (PID: 3620)
      • infinst.exe (PID: 5252)
      • infinst.exe (PID: 2532)
      • infinst.exe (PID: 3752)
      • infinst.exe (PID: 3480)
      • infinst.exe (PID: 6140)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 6808)
      • infinst.exe (PID: 4456)
      • infinst.exe (PID: 6176)
      • infinst.exe (PID: 4884)
      • infinst.exe (PID: 6380)
      • infinst.exe (PID: 4752)
      • infinst.exe (PID: 1520)
      • infinst.exe (PID: 4836)
      • infinst.exe (PID: 5780)
      • infinst.exe (PID: 5460)
      • infinst.exe (PID: 6656)
      • infinst.exe (PID: 2028)
      • infinst.exe (PID: 6336)
      • infinst.exe (PID: 3976)
      • infinst.exe (PID: 3644)
      • infinst.exe (PID: 7128)
      • infinst.exe (PID: 2792)
      • infinst.exe (PID: 2804)
      • infinst.exe (PID: 2464)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3864)
      • infinst.exe (PID: 6376)
      • infinst.exe (PID: 3656)
      • infinst.exe (PID: 2972)
      • infinst.exe (PID: 4748)
      • infinst.exe (PID: 5220)
      • infinst.exe (PID: 6012)
      • infinst.exe (PID: 4648)

    • Starts a Microsoft application from unusual location

      • dxwebsetup.exe (PID: 6428)
      • dxwebsetup.exe (PID: 3884)
      • dxwsetup.exe (PID: 1720)

    • Executable content was dropped or overwritten

      • dxwebsetup.exe (PID: 6428)
      • infinst.exe (PID: 4688)
      • dxwsetup.exe (PID: 1720)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 1728)
      • infinst.exe (PID: 7032)
      • infinst.exe (PID: 6188)
      • infinst.exe (PID: 6148)
      • infinst.exe (PID: 4012)
      • infinst.exe (PID: 2596)
      • infinst.exe (PID: 5124)
      • infinst.exe (PID: 1932)
      • infinst.exe (PID: 4860)
      • infinst.exe (PID: 5744)
      • infinst.exe (PID: 3092)
      • infinst.exe (PID: 3000)
      • infinst.exe (PID: 2072)
      • infinst.exe (PID: 5468)
      • infinst.exe (PID: 888)
      • infinst.exe (PID: 2032)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 5692)
      • infinst.exe (PID: 5708)
      • infinst.exe (PID: 4460)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3968)
      • infinst.exe (PID: 4308)
      • infinst.exe (PID: 1508)
      • infinst.exe (PID: 5496)
      • infinst.exe (PID: 4796)
      • infinst.exe (PID: 6688)
      • infinst.exe (PID: 2512)
      • infinst.exe (PID: 4188)
      • infinst.exe (PID: 2188)
      • infinst.exe (PID: 3148)
      • infinst.exe (PID: 4892)
      • infinst.exe (PID: 4708)
      • infinst.exe (PID: 1576)
      • infinst.exe (PID: 3620)
      • infinst.exe (PID: 5252)
      • infinst.exe (PID: 3752)
      • infinst.exe (PID: 3480)
      • infinst.exe (PID: 6140)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 2532)
      • infinst.exe (PID: 6808)
      • infinst.exe (PID: 4456)
      • infinst.exe (PID: 4884)
      • infinst.exe (PID: 6176)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 6380)
      • infinst.exe (PID: 4752)
      • infinst.exe (PID: 1520)
      • infinst.exe (PID: 4836)
      • infinst.exe (PID: 5780)
      • infinst.exe (PID: 5460)
      • infinst.exe (PID: 6656)
      • infinst.exe (PID: 6336)
      • infinst.exe (PID: 2028)
      • infinst.exe (PID: 3976)
      • infinst.exe (PID: 3644)
      • infinst.exe (PID: 7128)
      • infinst.exe (PID: 2792)
      • infinst.exe (PID: 2804)
      • infinst.exe (PID: 6376)
      • infinst.exe (PID: 2464)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 3864)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3656)
      • infinst.exe (PID: 2972)
      • infinst.exe (PID: 4748)
      • infinst.exe (PID: 5220)
      • infinst.exe (PID: 6012)
      • infinst.exe (PID: 4648)

    • Reads security settings of Internet Explorer

      • dxwsetup.exe (PID: 1720)

    • Executes as Windows Service

      • VSSVC.exe (PID: 856)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 2140)

    • Searches for installed software

      • dllhost.exe (PID: 2140)

  • INFO

    • The sample compiled with english language support

      • dxwebsetup.exe (PID: 6428)
      • dxwsetup.exe (PID: 1720)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 1728)
      • infinst.exe (PID: 6188)
      • infinst.exe (PID: 7032)
      • infinst.exe (PID: 4688)
      • infinst.exe (PID: 6148)
      • infinst.exe (PID: 2596)
      • infinst.exe (PID: 4012)
      • infinst.exe (PID: 4860)
      • infinst.exe (PID: 5744)
      • infinst.exe (PID: 5124)
      • infinst.exe (PID: 1932)
      • infinst.exe (PID: 3092)
      • infinst.exe (PID: 5468)
      • infinst.exe (PID: 3000)
      • infinst.exe (PID: 888)
      • infinst.exe (PID: 2072)
      • infinst.exe (PID: 2032)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 5692)
      • infinst.exe (PID: 4460)
      • infinst.exe (PID: 5708)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 3968)
      • infinst.exe (PID: 4308)
      • infinst.exe (PID: 6688)
      • infinst.exe (PID: 5496)
      • infinst.exe (PID: 1508)
      • infinst.exe (PID: 4796)
      • infinst.exe (PID: 3148)
      • infinst.exe (PID: 2512)
      • infinst.exe (PID: 2188)
      • infinst.exe (PID: 4188)
      • infinst.exe (PID: 5252)
      • infinst.exe (PID: 4892)
      • infinst.exe (PID: 4708)
      • infinst.exe (PID: 1576)
      • infinst.exe (PID: 3620)
      • infinst.exe (PID: 3752)
      • infinst.exe (PID: 2532)
      • infinst.exe (PID: 3480)
      • infinst.exe (PID: 4680)
      • infinst.exe (PID: 6140)
      • infinst.exe (PID: 4884)
      • infinst.exe (PID: 4692)
      • infinst.exe (PID: 6808)
      • infinst.exe (PID: 4456)
      • infinst.exe (PID: 6176)
      • infinst.exe (PID: 6380)
      • infinst.exe (PID: 4752)
      • infinst.exe (PID: 1520)
      • infinst.exe (PID: 4836)
      • infinst.exe (PID: 5780)
      • infinst.exe (PID: 6656)
      • infinst.exe (PID: 2028)
      • infinst.exe (PID: 6336)
      • infinst.exe (PID: 3976)
      • infinst.exe (PID: 5460)
      • infinst.exe (PID: 3644)
      • infinst.exe (PID: 7128)
      • infinst.exe (PID: 2792)
      • infinst.exe (PID: 2804)
      • infinst.exe (PID: 6376)
      • infinst.exe (PID: 2464)
      • infinst.exe (PID: 1704)
      • infinst.exe (PID: 3864)
      • infinst.exe (PID: 3688)
      • infinst.exe (PID: 2972)
      • infinst.exe (PID: 4748)
      • infinst.exe (PID: 5220)
      • infinst.exe (PID: 6012)
      • infinst.exe (PID: 3656)
      • infinst.exe (PID: 4648)

    • Checks supported languages

      • dxwebsetup.exe (PID: 6428)
      • dxwsetup.exe (PID: 1720)

    • Create files in a temporary directory

      • dxwebsetup.exe (PID: 6428)
      • dxwsetup.exe (PID: 1720)

    • Launching a file from a Registry key

      • dxwebsetup.exe (PID: 6428)

    • Creates files or folders in the user directory

      • dxwsetup.exe (PID: 1720)

    • Reads the software policy settings

      • dxwsetup.exe (PID: 1720)

    • Reads the machine GUID from the registry

      • dxwsetup.exe (PID: 1720)

    • Manages system restore points

      • SrTasks.exe (PID: 2732)

    • The sample compiled with chinese language support

      • dxwsetup.exe (PID: 1720)
      • dxwebsetup.exe (PID: 6428)

    • Reads the computer name

      • dxwsetup.exe (PID: 1720)

    • Checks proxy server information

      • dxwsetup.exe (PID: 1720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:18 01:42:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 34816
InitializedDataSize: 258048
UninitializedDataSize: -
EntryPoint: 0x5a5e
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.2600.0
ProductVersionNumber: 6.0.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: DirectX 9.0 Web setup
FileVersion: 9.28.1886.0
InternalName: DXWebSetup
LegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName: dxwebsetup.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 9.28.1886.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
257
Monitored processes
110
Malicious processes
77
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dxwebsetup.exe dxwsetup.exe slui.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe infinst.exe regsvr32.exe no specs infinst.exe regsvr32.exe no specs SPPSurrogate no specs dxwebsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine3_5.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
536C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine2_3.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
856C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888C:\Users\admin\AppData\Local\Temp\DXEE73.tmp\infinst.exe d3dx10_00_x64.infC:\Users\admin\AppData\Local\Temp\DXEE73.tmp\infinst.exe
dxwsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dxee73.tmp\infinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1100C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine2_6.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1128C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine2_1.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1180C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine3_4.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1212C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\XAudio2_4.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1440C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\xactengine2_5.dllC:\Windows\System32\regsvr32.exedxwsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1484\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
15 026
Read events
14 710
Write events
296
Delete events
20

Modification events

(PID) Process:(6428) dxwebsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(1720) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1720) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1720) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2140) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000007786A20305DEDB015C080000A8010000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1720) dxwsetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000002623A00305DEDB01B8060000E0110000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2140) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000005E49C60305DEDB015C080000A8010000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2140) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000005E49C60305DEDB015C080000A8010000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2140) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000031ADC80305DEDB015C080000A8010000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2140) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000008974CD0305DEDB015C080000A8010000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
655
Suspicious files
1 059
Text files
52
Unknown types
1

Dropped files

PID
Process
Filename
Type
6428dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllexecutable
MD5:F6B14958D2A93750C3D4FAD02CA739BE
SHA256:529C3E93C1A7CBB0225AB5F12C5BB0E91EB905EBF3DB7FC00CBD96D8E66A6F0E
6428dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
1720dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\SET596A.tmpexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
1720dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:5C203EF19981E0803AA5D828A0FB11C6
SHA256:83BCFAA46E580F3ADB6BAFCD4D1EC3E6C1F2584E001CC981F4E383730E593148
6428dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.ciftext
MD5:4BF39E4BB4A0595EF7A83CE93279F1DC
SHA256:32E1BD2E381F27D9815A5EE44F82B000DA3522E205E26991D2B490A527E62C30
1720dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup.dllexecutable
MD5:8DC08C0EFFFFC3D08E8718260843D10C
SHA256:9AD6F392A736BA7E137AC7A49BC454E1457C91372FFEC8EFFD4E779716A1F07D
6428dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inftext
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
6428dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeexecutable
MD5:A2772E5A8DF5DC3487E8516321ED29DA
SHA256:8FAC859DC73AB7A8C18F093C6A58ACCF3EE8F1B86A4BCFCE4C9E8A1253D2828F
1720dxwsetup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\dxupdate[1].cabcompressed
MD5:4AFD7F5C0574A0EFD163740ECB142011
SHA256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
1720dxwsetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:0F7B8F6A846AA9CA52FA562DDDCDB5ED
SHA256:AFF90E65A81289B80D1FCC5E71B3D88E5D1AAFE22CE358EB6E28A56D1845263D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
170
TCP/UDP connections
44
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1720
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
unknown
whitelisted
1720
dxwsetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
1720
dxwsetup.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
1720
dxwsetup.exe
GET
200
184.24.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4944
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1720
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x86.cab
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1720
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xinput_x64.cab
unknown
whitelisted
1720
dxwsetup.exe
GET
302
2.18.160.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x86.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6012
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1720
dxwsetup.exe
2.18.160.223:80
download.microsoft.com
AKAMAI-AS
DE
whitelisted
1720
dxwsetup.exe
2.18.160.223:443
download.microsoft.com
AKAMAI-AS
DE
whitelisted
1720
dxwsetup.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1720
dxwsetup.exe
184.24.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1720
dxwsetup.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
download.microsoft.com
  • 2.18.160.223
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 184.24.77.42
  • 184.24.77.35
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.64
  • 20.190.159.130
  • 40.126.31.130
  • 20.190.159.73
  • 40.126.31.3
  • 40.126.32.74
  • 20.190.160.65
  • 20.190.160.4
  • 20.190.160.22
  • 20.190.160.2
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

No threats detected
Process
Message
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dxwebsetup.exe