File name:

DivXInstaller.exe

Full analysis: https://app.any.run/tasks/d759cf38-8242-48ec-930e-81aab3222b0a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 08, 2025, 13:31:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

6814B1435CF9ED804FEC5C7EE3400BA8

SHA1:

6BFBA978B07824A4A96FDDFE8F3CED0F55E8CE80

SHA256:

AB751F056D19D5A8677F5FA4C9F203718247C606923FD261D34F1EB4B7D69DBD

SSDEEP:

196608:iAu8+enNsqQ3pCo4/S5Wf/VrkPpQP3t7W+l25pa:iAu8+GiqQ5ZaFkPpMlSa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • DivXInstaller.exe (PID: 2236)
      • vcredist_x86.exe (PID: 5640)

    • Executable content was dropped or overwritten

      • DivXInstaller.exe (PID: 2236)
      • vcredist_x86.exe (PID: 5640)
      • vcredist_x86.exe (PID: 4976)
      • DivXSetup.exe (PID: 536)

    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 5640)

    • Process requests binary or script from the Internet

      • DivXSetup.exe (PID: 536)

    • There is functionality for taking screenshot (YARA)

      • DivXInstaller.exe (PID: 2236)

    • Adds/modifies Windows certificates

      • DivXSetup.exe (PID: 536)

    • Reads Microsoft Outlook installation path

      • DivXSetup.exe (PID: 536)

    • Reads Internet Explorer settings

      • DivXSetup.exe (PID: 536)

    • Potential Corporate Privacy Violation

      • DivXSetup.exe (PID: 536)

    • Searches for installed software

      • vcredist_x86.exe (PID: 4976)

    • Reads security settings of Internet Explorer

      • DivXSetup.exe (PID: 536)

  • INFO

    • Checks supported languages

      • DivXInstaller.exe (PID: 2236)
      • DivXSetup.exe (PID: 536)
      • vcredist_x86.exe (PID: 5640)
      • vcredist_x86.exe (PID: 4976)

    • The sample compiled with english language support

      • DivXInstaller.exe (PID: 2236)
      • vcredist_x86.exe (PID: 5640)
      • DivXSetup.exe (PID: 536)
      • vcredist_x86.exe (PID: 4976)

    • Creates files in the program directory

      • DivXSetup.exe (PID: 536)

    • Reads the computer name

      • DivXInstaller.exe (PID: 2236)
      • DivXSetup.exe (PID: 536)
      • vcredist_x86.exe (PID: 4976)

    • Reads the machine GUID from the registry

      • DivXSetup.exe (PID: 536)

    • Create files in a temporary directory

      • DivXSetup.exe (PID: 536)
      • vcredist_x86.exe (PID: 4976)
      • DivXInstaller.exe (PID: 2236)

    • Process checks computer location settings

      • DivXSetup.exe (PID: 536)

    • Checks proxy server information

      • DivXSetup.exe (PID: 536)
      • slui.exe (PID: 2088)

    • Creates files or folders in the user directory

      • DivXSetup.exe (PID: 536)

    • Process checks whether UAC notifications are on

      • DivXSetup.exe (PID: 536)

    • Reads the software policy settings

      • DivXSetup.exe (PID: 536)
      • slui.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:02 08:13:11+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 31232
InitializedDataSize: 193024
UninitializedDataSize: 2048
EntryPoint: 0x3bb8
OSVersion: 5.1
ImageVersion: 6
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 11.11.1.0
ProductVersionNumber: 11.11.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: DivX, LLC
FileDescription: DivX Setup Bootstrapper
FileVersion: 11.11.1.0
LegalCopyright: Copyright (c) DivX, LLC. 2024
ProductName: Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start divxinstaller.exe vcredist_x86.exe vcredist_x86.exe divxsetup.exe slui.exe divxinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536C:\Users\admin\AppData\Local\Temp\nslDECA.tmp\DivXSetup.exe /cert C:\Users\admin\AppData\Local\Temp\nslDECA.tmp\ca-bundle.crtC:\Users\admin\AppData\Local\Temp\nslDECA.tmp\DivXSetup.exe
DivXInstaller.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
HIGH
Description:
DivX 11 Setup
Exit code:
0
Version:
11.11.1.0
Modules
Images
c:\users\admin\appdata\local\temp\nsldeca.tmp\divxsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1184"C:\Users\admin\Desktop\DivXInstaller.exe" C:\Users\admin\Desktop\DivXInstaller.exeexplorer.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
MEDIUM
Description:
DivX Setup Bootstrapper
Exit code:
3221226540
Version:
11.11.1.0
Modules
Images
c:\users\admin\desktop\divxinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2088C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2236"C:\Users\admin\Desktop\DivXInstaller.exe" C:\Users\admin\Desktop\DivXInstaller.exe
explorer.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
HIGH
Description:
DivX Setup Bootstrapper
Exit code:
0
Version:
11.11.1.0
Modules
Images
c:\users\admin\desktop\divxinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4976"C:\WINDOWS\Temp\{CA25AAE7-7C79-4C90-A5AA-7EAF01979D90}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\nslDECA.tmp\vcredist_x86.exe" -burn.filehandle.attached=728 -burn.filehandle.self=732 /q /norestartC:\Windows\Temp\{CA25AAE7-7C79-4C90-A5AA-7EAF01979D90}\.cr\vcredist_x86.exe
vcredist_x86.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1638
Modules
Images
c:\windows\temp\{ca25aae7-7c79-4c90-a5aa-7eaf01979d90}\.cr\vcredist_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5640"C:\Users\admin\AppData\Local\Temp\nslDECA.tmp\vcredist_x86.exe" /q /norestartC:\Users\admin\AppData\Local\Temp\nslDECA.tmp\vcredist_x86.exe
DivXInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30153
Exit code:
1638
Version:
14.29.30153.0
Modules
Images
c:\users\admin\appdata\local\temp\nsldeca.tmp\vcredist_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
9 564
Read events
9 545
Write events
15
Delete events
4

Modification events

(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Setup
Operation:writeName:lastkey
Value:
5fb0b652-0cca-42b1-ba2f-106899d122bd
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Update
Operation:writeName:AutoUpdateProhibited
Value:
0
(PID) Process:(536) DivXSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DivX11\Install\Setup\BundleGroups\divx.com\_private\BannerGroups\default
Operation:writeName:DefaultBannerHtmlPath
Value:
C:\ProgramData\DivX11\Setup\DefaultBanner\defaultbanner-en-us.html
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Setup\EULAs\consumer
Operation:writeName:Accepted
Value:
0
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Setup\EULAs\consumer
Operation:writeName:Accepted
Value:
1
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Setup\EULAs\consumer
Operation:writeName:Path
Value:
C:\ProgramData\DivX11\Setup\EULAs\consumer\License.rtf
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\DivX11\Settings\Setup\EULAs\consumer
Operation:writeName:Version
Value:
1.0.0.0
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(536) DivXSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
21
Suspicious files
1
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
2236DivXInstaller.exeC:\Users\admin\AppData\Local\Temp\nslDECA.tmp\vcredist_x86.exeexecutable
MD5:744B8A391E7E914C6604A533B50A6DB8
SHA256:29F649C08928B31E6BB11D449626DA14B5E99B5303FE2B68AFA63732EF29C946
2236DivXInstaller.exeC:\Users\admin\AppData\Local\Temp\nslDECA.tmp\Banner.dllexecutable
MD5:7E7AF195B37D4220D9A30479CFE2105F
SHA256:B74A4B57D2D7821A584707147A77A338EC6ACC1E96D669F99FC1DF9A546DC6C6
5640vcredist_x86.exeC:\Windows\Temp\{CA25AAE7-7C79-4C90-A5AA-7EAF01979D90}\.cr\vcredist_x86.exeexecutable
MD5:60E7AE031C43F3CEC768B74DE9424D4C
SHA256:6B690FC74CB59F9BAC264878DE150B8845C68975D7C15CA36B0CF3AD4E6435A1
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\wixstdba.dllexecutable
MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\thm.wxlxml
MD5:FBFCBC4DACC566A3C426F43CE10907B6
SHA256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\logo.pngimage
MD5:D6BD210F227442B3362493D046CEA233
SHA256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\license.rtftext
MD5:2EABBB391ACB89942396DF5C1CA2BAD8
SHA256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\thm.xmlxml
MD5:F62729C6D2540015E072514226C121C7
SHA256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
4976vcredist_x86.exeC:\Windows\Temp\{29BDDB19-0FE3-406C-8571-F0E9B4D0072B}\.ba\1036\thm.wxlxml
MD5:7B46AE8698459830A0F9116BC27DE7DF
SHA256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
2236DivXInstaller.exeC:\Users\admin\AppData\Local\Temp\nslDECA.tmp\nsExec.dllexecutable
MD5:915A147B00AB860D7663F436230C60C9
SHA256:6E5C0D5C3ED92904490A56756EC8135933874740539F5D5F0AF52493EB16FF03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
42
DNS requests
9
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/setup/manifest.dxp
US
binary
22.3 Kb
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/setup/x64/RunUserProcessApp.exe
US
executable
210 Kb
unknown
536
DivXSetup.exe
HEAD
403
52.85.65.86:80
http://download.divx.com/hint/11.0.1/installer/install-11.11.1.0-lnch-Windows-10.0.19045-b=DivXForWindows-d=organic-c=US
US
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/package/Qt5.6/Installer.exe
US
executable
36.9 Mb
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/banner/banner_1-en-us.html
US
html
472 b
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/licenses/en-us/EULA_Consumer.rtf
US
text
13.8 Kb
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/banner/banner_1.png
US
image
494 Kb
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/banner/banner_2-en-us.html
US
html
515 b
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/banner/banner_2.png
US
image
330 Kb
unknown
536
DivXSetup.exe
GET
200
52.85.65.86:80
http://download.divx.com/divx/banner/banner_3-en-us.html
US
html
513 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
536
DivXSetup.exe
52.85.65.86:80
download.divx.com
AMAZON-02
US
unknown
5280
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
536
DivXSetup.exe
142.250.185.196:80
www.google.com
GOOGLE
US
whitelisted
2088
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
download.divx.com
  • 52.85.65.86
  • 52.85.65.100
  • 52.85.65.64
  • 52.85.65.126
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.google.com
  • 142.250.185.196
whitelisted

Threats

PID
Process
Class
Message
536
DivXSetup.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
536
DivXSetup.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
536
DivXSetup.exe
Misc activity
ET INFO Packed Executable Download
536
DivXSetup.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
536
DivXSetup.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
536
DivXSetup.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
536
DivXSetup.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
536
DivXSetup.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
536
DivXSetup.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
536
DivXSetup.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DivXInstaller.exe