File name:

ovisetup.exe

Full analysis: https://app.any.run/tasks/5a892e76-a562-4fd3-80f5-88e45ad7574c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 14, 2026, 13:35:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
delphi
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

1692AEC61DDCDDA471DEFA199C62D25A

SHA1:

484AF221468DDB534B74E12970DE80D5DFEE2B28

SHA256:

84BDE632C5BFD2A7FF84E579E6F7561543CA0AAD6D8E7275DAE5926BA4F561C1

SSDEEP:

49152:9Hox6U/D1LbDxklrSWZAhizWV4yFK73bBxaaNNG0pHSdtDLboHTBWpHg6UvM98Il:2x6qaAVpchNG0pHA57HgR0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • ovisetup.exe (PID: 7544)

    • Executing a file with an untrusted certificate

      • dxwebsetup.exe (PID: 7876)
      • dxwebsetup.exe (PID: 7944)

    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 7944)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • ovisetup.exe (PID: 7544)

    • Reads security settings of Internet Explorer

      • ovisetup.exe (PID: 7544)
      • dxwsetup.exe (PID: 7960)

    • Process drops legitimate windows executable

      • ovisetup.exe (PID: 7544)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

    • Executable content was dropped or overwritten

      • ovisetup.exe (PID: 7544)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

    • Starts a Microsoft application from unusual location

      • dxwebsetup.exe (PID: 7876)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

  • INFO

    • Process checks whether UAC notifications are on

      • ovisetup.exe (PID: 7544)

    • The sample compiled with russian language support

      • ovisetup.exe (PID: 7544)

    • Checks supported languages

      • ovisetup.exe (PID: 7544)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

    • Reads the computer name

      • ovisetup.exe (PID: 7544)
      • dxwsetup.exe (PID: 7960)

    • Checks proxy server information

      • ovisetup.exe (PID: 7544)
      • dxwsetup.exe (PID: 7960)

    • Compiled with Borland Delphi (YARA)

      • ovisetup.exe (PID: 7544)

    • The sample compiled with english language support

      • ovisetup.exe (PID: 7544)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

    • Create files in a temporary directory

      • ovisetup.exe (PID: 7544)
      • dxwebsetup.exe (PID: 7944)
      • dxwsetup.exe (PID: 7960)

    • Process checks computer location settings

      • ovisetup.exe (PID: 7544)

    • Launching a file from a Registry key

      • dxwebsetup.exe (PID: 7944)

    • Creates files or folders in the user directory

      • dxwsetup.exe (PID: 7960)

    • Reads the machine GUID from the registry

      • dxwsetup.exe (PID: 7960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:10 20:31:28+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, Bytes reversed lo, 32-bit, Removable run from swap, Net run from swap, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3798528
InitializedDataSize: 827392
UninitializedDataSize: -
EntryPoint: 0x3a03e8
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 4.1.0.47
ProductVersionNumber: 4.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Windows, Cyrillic
CompanyName: New Technology Studio
FileDescription: OpenIV setup
FileVersion: 4.1.0.47
InternalName: setup.exe
LegalCopyright: © New Technology Studio
OriginalFileName: ovisetup.exe
ProductName: OpenIV
ProductVersion: 4.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ovisetup.exe dxwebsetup.exe no specs dxwebsetup.exe dxwsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
7544"C:\Users\admin\AppData\Local\Temp\ovisetup.exe" C:\Users\admin\AppData\Local\Temp\ovisetup.exe
explorer.exe
User:
admin
Company:
New Technology Studio
Integrity Level:
MEDIUM
Description:
OpenIV setup
Version:
4.1.0.47
Modules
Images
c:\users\admin\appdata\local\temp\ovisetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7876"C:\Users\admin\AppData\Local\Temp\OpenIV Setup_000FDCCA\dxwebsetup.exe" /QC:\Users\admin\AppData\Local\Temp\OpenIV Setup_000FDCCA\dxwebsetup.exeovisetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DirectX 9.0 Web setup
Exit code:
3221226540
Version:
9.29.1974.0
Modules
Images
c:\users\admin\appdata\local\temp\openiv setup_000fdcca\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7944"C:\Users\admin\AppData\Local\Temp\OpenIV Setup_000FDCCA\dxwebsetup.exe" /QC:\Users\admin\AppData\Local\Temp\OpenIV Setup_000FDCCA\dxwebsetup.exe
ovisetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX 9.0 Web setup
Version:
9.29.1974.0
Modules
Images
c:\users\admin\appdata\local\temp\openiv setup_000fdcca\dxwebsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7960C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdateC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
dxwebsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DirectX Setup
Version:
4.9.0.0904
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dxwsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
4 715
Read events
4 711
Write events
4
Delete events
0

Modification events

(PID) Process:(7944) dxwebsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(7960) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7960) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7960) dxwsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
12
Suspicious files
216
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
7544ovisetup.exeC:\Users\admin\AppData\Local\Temp\OpenIV Setup_000FDCCA\dxwebsetup.exeexecutable
MD5:BCBB7C0CD9696068988953990EC5BD11
SHA256:34F64699D4830145CAE69BD40115B1F326E70FC6A98456CB3DF996D947DDDCA4
7544ovisetup.exeC:\Users\admin\AppData\Local\Temp\OpenIV_Setup_Install.logtext
MD5:1020F2F8D17982E63CB4B31402B3C67B
SHA256:F5947C18467BA88E92C6993B42E3CC81E49D9FF5C81AC24C2D27436FB3D0CD9B
7944dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllexecutable
MD5:984CAD22FA542A08C5D22941B888D8DC
SHA256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
7960dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup32.dllexecutable
MD5:A5412A144F63D639B47FCC1BA68CB029
SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
7944dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllexecutable
MD5:A5412A144F63D639B47FCC1BA68CB029
SHA256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
7944dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inftext
MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
SHA256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
7960dxwsetup.exeC:\Windows\SysWOW64\directx\websetup\dsetup.dllexecutable
MD5:984CAD22FA542A08C5D22941B888D8DC
SHA256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
7944dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.ciftext
MD5:7B1FBE9F5F43B2261234B78FE115CF8E
SHA256:762FF640013DB2BD4109D7DF43A867303093815751129BD1E33F16BF02E52CCE
7944dxwebsetup.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeexecutable
MD5:AC3A5F7BE8CD13A863B50AB5FE00B71C
SHA256:8F5E89298E3DC2E22D47515900C37CCA4EE121C5BA06A6D962D40AD6E1A595DA
7960dxwsetup.exeC:\Windows\Logs\DirectX.logtext
MD5:03A384FEC46C02E3913CDBF3B6FC52F0
SHA256:B38CB4EE674F979D6930651EE8736BEA304C6D24F0EF362DF3FA0068DFF31AE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
32
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7544
ovisetup.exe
HEAD
200
188.114.97.3:443
https://ntscorp.ru/ovi/setup/system.xml?cacheId=20260114-083553
unknown
unknown
7544
ovisetup.exe
HEAD
200
188.114.97.3:443
https://ntscorp.ru/ovi/setup/dxwebsetup.exe
unknown
unknown
1136
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1136
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1136
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
text
5.58 Kb
whitelisted
7544
ovisetup.exe
GET
200
188.114.97.3:443
https://ntscorp.ru/ovi/setup/dxwebsetup.exe
unknown
executable
128 Kb
unknown
7960
dxwsetup.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7544
ovisetup.exe
GET
200
188.114.97.3:443
https://ntscorp.ru/ovi/setup/system.xml?cacheId=20260114-083553
unknown
xml
561 b
unknown
7960
dxwsetup.exe
GET
302
95.100.102.63:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
unknown
whitelisted
7960
dxwsetup.exe
GET
200
95.100.102.63:443
https://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
unknown
compressed
98.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6300
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1136
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
1136
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1136
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
1136
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
7544
ovisetup.exe
188.114.97.3:443
ntscorp.ru
CLOUDFLARENET
US
whitelisted
7960
dxwsetup.exe
95.100.102.63:80
download.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.140.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
ntscorp.ru
  • 188.114.97.3
  • 188.114.96.3
unknown
download.microsoft.com
  • 95.100.102.63
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.128
  • 20.190.160.2
  • 40.126.32.136
  • 40.126.32.74
  • 20.190.160.66
  • 20.190.160.131
  • 40.126.32.138
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Potentially Bad Traffic
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ovisetup.exe