File name:

InputMapper 1.6.10.19991.exe

Full analysis: https://app.any.run/tasks/8d963d55-b890-4ba8-9ad7-e1aa5c0fcc7e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 17, 2019, 12:10:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

63ACAF6793AD2508A153FB8B001388AC

SHA1:

D29726A2D29AB9D0F26149F05FA02F20EA0DD329

SHA256:

DFF494DFD5FC39EAAE8BA4C35029A16911B11E3F698CEBC6951C0F212B1D95D4

SSDEEP:

196608:nRo3FUKvYRo3FUKc6863ayiw3uDYtw9BoxzPJ:RoVUKCoVUKEKhuDYtWBQJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dxwebsetup.exe (PID: 2756)
      • dxwsetup.exe (PID: 3668)
      • BingBarSetup-Partner.exe (PID: 3744)
      • RunOncePack.EXE (PID: 2748)
      • BBSetup.exe (PID: 1024)
      • BingBarSetup-Partner.EXE (PID: 1836)
      • Xbox360_32Eng.exe (PID: 1944)
      • DXSETUP.exe (PID: 2552)
      • setup.exe (PID: 1424)
      • setupstb.exe (PID: 4072)
      • XBoxStat.exe (PID: 3596)
      • vcredist_x86.exe (PID: 332)
      • vcredist_x86.exe (PID: 2700)
      • ScpVBusInstaller.exe (PID: 2224)
      • ExclusiveModeTool.exe (PID: 3824)

    • Loads the Task Scheduler DLL interface

      • InputMapper 1.6.10.19991.exe (PID: 3420)

    • Changes the autorun value in the registry

      • dxwebsetup.exe (PID: 2756)
      • BingBarSetup-Partner.exe (PID: 3744)
      • BingBarSetup-Partner.EXE (PID: 1836)
      • RunOncePack.EXE (PID: 2748)
      • vcredist_x86.exe (PID: 332)

    • Loads dropped or rewritten executable

      • dxwsetup.exe (PID: 3668)
      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • setup.exe (PID: 1424)
      • setupstb.exe (PID: 4072)
      • DXSETUP.exe (PID: 2552)
      • vcredist_x86.exe (PID: 2700)
      • XBoxStat.exe (PID: 3596)
      • ScpVBusInstaller.exe (PID: 2224)

    • Changes settings of System certificates

      • dxwsetup.exe (PID: 3668)

    • Downloads executable files from the Internet

      • dxwsetup.exe (PID: 3668)

    • Loads the Task Scheduler COM API

      • setupstb.exe (PID: 4072)
      • ExclusiveModeTool.exe (PID: 3824)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • dxwsetup.exe (PID: 3668)
      • DXSETUP.exe (PID: 2552)
      • DrvInst.exe (PID: 4024)
      • msiexec.exe (PID: 988)
      • DrvInst.exe (PID: 1320)
      • ScpVBusInstaller.exe (PID: 2224)
      • DrvInst.exe (PID: 3464)

    • Executable content was dropped or overwritten

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • dxwebsetup.exe (PID: 2756)
      • BingBarSetup-Partner.exe (PID: 3744)
      • BingBarSetup-Partner.EXE (PID: 1836)
      • dxwsetup.exe (PID: 3668)
      • BBSetup.exe (PID: 1024)
      • msiexec.exe (PID: 988)
      • Xbox360_32Eng.exe (PID: 1944)
      • DXSETUP.exe (PID: 2552)
      • RunOncePack.EXE (PID: 2748)
      • MsiExec.exe (PID: 2864)
      • DrvInst.exe (PID: 4024)
      • vcredist_x86.exe (PID: 2700)
      • ScpVBusInstaller.exe (PID: 2224)
      • DrvInst.exe (PID: 3464)
      • InputMapper 1.6.10.19991.exe (PID: 2188)
      • DrvInst.exe (PID: 1320)

    • Reads Environment values

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • InputMapper 1.6.10.19991.exe (PID: 2188)

    • Adds / modifies Windows certificates

      • dxwsetup.exe (PID: 3668)

    • Creates files in the user directory

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • dxwsetup.exe (PID: 3668)
      • RunOncePack.EXE (PID: 2748)

    • Executed as Windows Service

      • vssvc.exe (PID: 2500)

    • Searches for installed software

      • dxwsetup.exe (PID: 3668)
      • DllHost.exe (PID: 1340)
      • DXSETUP.exe (PID: 2552)
      • DllHost.exe (PID: 308)
      • vcredist_x86.exe (PID: 332)
      • DrvInst.exe (PID: 3464)

    • Executed via COM

      • DllHost.exe (PID: 1340)
      • DrvInst.exe (PID: 1768)
      • DllHost.exe (PID: 308)
      • DrvInst.exe (PID: 3376)
      • DrvInst.exe (PID: 4024)
      • DrvInst.exe (PID: 3192)
      • DrvInst.exe (PID: 3464)
      • DrvInst.exe (PID: 1320)
      • DrvInst.exe (PID: 1072)

    • Creates COM task schedule object

      • dxwsetup.exe (PID: 3668)
      • msiexec.exe (PID: 988)

    • Checks for external IP

      • RunOncePack.EXE (PID: 2748)

    • Creates files in the program directory

      • RunOncePack.EXE (PID: 2748)
      • ScpVBusInstaller.exe (PID: 2224)
      • BBSetup.exe (PID: 1024)
      • InputMapper 1.6.10.19991.exe (PID: 2188)

    • Removes files from Windows directory

      • dxwsetup.exe (PID: 3668)
      • DXSETUP.exe (PID: 2552)
      • DrvInst.exe (PID: 4024)
      • DrvInst.exe (PID: 3464)
      • DrvInst.exe (PID: 1320)
      • InputMapper 1.6.10.19991.exe (PID: 3420)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 988)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 4024)
      • DrvInst.exe (PID: 3464)
      • DrvInst.exe (PID: 1320)

    • Executed via Task Scheduler

      • XBoxStat.exe (PID: 3596)

    • Creates a software uninstall entry

      • vcredist_x86.exe (PID: 332)

    • Application launched itself

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 2484)

    • Reads internet explorer settings

      • InputMapper 1.6.10.19991.exe (PID: 3420)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 3464)

    • Starts CMD.EXE for commands execution

      • InputMapper 1.6.10.19991.exe (PID: 3420)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 2680)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 2680)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2500)

    • Dropped object may contain Bitcoin addresses

      • dxwsetup.exe (PID: 3668)
      • BingBarSetup-Partner.EXE (PID: 1836)
      • BBSetup.exe (PID: 1024)
      • msiexec.exe (PID: 988)

    • Reads settings of System Certificates

      • dxwsetup.exe (PID: 3668)
      • ScpVBusInstaller.exe (PID: 2224)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 988)

    • Creates or modifies windows services

      • msiexec.exe (PID: 988)

    • Application launched itself

      • msiexec.exe (PID: 988)

    • Creates files in the program directory

      • msiexec.exe (PID: 988)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2864)
      • msiexec.exe (PID: 988)
      • MsiExec.exe (PID: 2332)
      • MsiExec.exe (PID: 3700)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 988)

    • Application was dropped or rewritten from another process

      • MSI23EA.tmp (PID: 3380)
      • MSI9F64.tmp (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (17.9)
.exe | Win32 Executable MS Visual C++ (generic) (13.4)
.exe | Win64 Executable (generic) (11.9)
.dll | Win32 Dynamic Link Library (generic) (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:02:04 11:50:01+01:00
PEType: PE32
LinkerVersion: 14
CodeSize: 1127936
InitializedDataSize: 642560
UninitializedDataSize: -
EntryPoint: 0xd1f33
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.6.10.19991
ProductVersionNumber: 1.6.10.19991
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: DSDCS
FileDescription: This installer database contains the logic and data required to install InputMapper.
FileVersion: 1.6.10.19991
InternalName: InputMapper(1.6.10.19991)
LegalCopyright: Copyright (C) 2016 DSDCS
OriginalFileName: InputMapper(1.6.10.19991).exe
ProductName: InputMapper
ProductVersion: 1.6.10.19991

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Feb-2016 10:50:01
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Branch\win\Release\stubs\x86\ExternalUi.pdb
CompanyName: DSDCS
FileDescription: This installer database contains the logic and data required to install InputMapper.
FileVersion: 1.6.10.19991
InternalName: InputMapper(1.6.10.19991)
LegalCopyright: Copyright (C) 2016 DSDCS
OriginalFileName: InputMapper(1.6.10.19991).exe
ProductName: InputMapper
ProductVersion: 1.6.10.19991

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 04-Feb-2016 10:50:01
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00113508
0x00113600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63485
.rdata
0x00115000
0x0004DBB4
0x0004DC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.47961
.data
0x00163000
0x0000710C
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.8379
.gfids
0x0016B000
0x000003E8
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.86819
.tls
0x0016C000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x0016D000
0x000355C8
0x00035600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.49142
.reloc
0x001A3000
0x00014210
0x00014400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.59603

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18998
1909
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.06463
67624
Latin 1 / Western European
English - United States
RT_ICON
3
3.62797
16936
Latin 1 / Western European
English - United States
RT_ICON
4
3.78695
9640
Latin 1 / Western European
English - United States
RT_ICON
5
4.60176
4264
Latin 1 / Western European
English - United States
RT_ICON
6
5.33612
2440
Latin 1 / Western European
English - United States
RT_ICON
7
3.94882
1128
Latin 1 / Western European
English - United States
RT_ICON
9
3.37783
1116
Latin 1 / Western European
English - United States
RT_STRING
10
3.35254
1888
Latin 1 / Western European
English - United States
RT_STRING
11
3.31743
760
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
49
Malicious processes
16
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inputmapper 1.6.10.19991.exe dxwebsetup.exe dxwsetup.exe vssvc.exe no specs SPPSurrogate no specs drvinst.exe no specs bingbarsetup-partner.exe runoncepack.exe bingbarsetup-partner.exe bbsetup.exe msiexec.exe msiexec.exe no specs regedit.exe no specs msiexec.exe no specs xbox360_32eng.exe setup.exe no specs setupstb.exe no specs dxsetup.exe SPPSurrogate no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe xboxstat.exe no specs vcredist_x86.exe vcredist_x86.exe drvinst.exe no specs msiexec.exe no specs inputmapper 1.6.10.19991.exe msiexec.exe no specs msi23ea.tmp no specs scpvbusinstaller.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs drvinst.exe msi9f64.tmp no specs exclusivemodetool.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs inputmapper 1.6.10.19991.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
332"C:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\Visual C++ Redistributable for Visual Studio 2013\vcredist_x86.exe" C:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\Visual C++ Redistributable for Visual Studio 2013\vcredist_x86.exe
InputMapper 1.6.10.19991.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
Exit code:
0
Version:
12.0.30501.0
Modules
Images
c:\users\admin\appdata\roaming\dsdcs\inputmapper\prerequisites\visual c++ redistributable for visual studio 2013\vcredist_x86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
876C:\Windows\system32\MsiExec.exe -Embedding C91BD9858E56ADE9FCBB542151B8424D M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
988C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1024C:\Users\admin\AppData\Local\Temp\IXP002.TMP\BBSetup.exe cabLocation=.\BingBarPartnerConfig.cab hashLanguage=oemC:\Users\admin\AppData\Local\Temp\IXP002.TMP\BBSetup.exe
BingBarSetup-Partner.EXE
User:
admin
Company:
Microsoft Corporation.
Integrity Level:
HIGH
Description:
Bing Bar Setup
Exit code:
0
Version:
7.1.362.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp002.tmp\bbsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1072DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "00000000" "000004D8" "000005E8"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1320DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem5.inf" "scpvbus.inf:SCProductions.NTx86:ScpVBus_Install:1.0.0.103:root\scpvbus" "6b5cfab93" "000005BC" "0000053C" "000004D8"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1340C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424c:\7a832ce5da06e7f24303c7\setup.exe /norestart /passivec:\7a832ce5da06e7f24303c7\setup.exeXbox360_32Eng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup.exe
Exit code:
1
Version:
1.20.146.0
Modules
Images
c:\7a832ce5da06e7f24303c7\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1732C:\Windows\system32\cmd.exe /S /D /c" cls"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
18 277
Read events
3 185
Write events
15 003
Delete events
89

Modification events

(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3420) InputMapper 1.6.10.19991.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InputMapper 1_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
290
Suspicious files
153
Text files
6 797
Unknown types
121

Dropped files

PID
Process
Filename
Type
3420InputMapper 1.6.10.19991.exeC:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\dxwebsetup.exe.part
MD5:
SHA256:
3420InputMapper 1.6.10.19991.exeC:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\Xbox360_32Eng.exe.part
MD5:
SHA256:
3420InputMapper 1.6.10.19991.exeC:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\Visual C++ Redistributable for Visual Studio 2013\vcredist_x86.exe.part
MD5:
SHA256:
3668dxwsetup.exeC:\Windows\system32\directx\websetup\SET7643.tmp
MD5:
SHA256:
3668dxwsetup.exeC:\Windows\system32\directx\websetup\SET7644.tmp
MD5:
SHA256:
3668dxwsetup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dxupdate[1].cab
MD5:
SHA256:
3668dxwsetup.exeC:\Windows\msdownld.tmp\AS158631.tmp\dxupdate.cab
MD5:
SHA256:
3420InputMapper 1.6.10.19991.exeC:\Users\admin\AppData\Roaming\DSDCS\InputMapper\prerequisites\Xbox360_32Eng.exeexecutable
MD5:
SHA256:
3668dxwsetup.exeC:\Windows\INF\setupapi.app.logini
MD5:
SHA256:
3420InputMapper 1.6.10.19991.exeC:\Windows\Tasks\C__Users_admin_AppData_Local_Temp_InputMapper 1.6.10.19991.exe.jobbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
95
TCP/UDP connections
7
DNS requests
6
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2006_xinput_x86.cab
NL
compressed
45.9 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_xact_x86.cab
NL
compressed
142 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Oct2006_xact_x86.cab
NL
compressed
135 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxupdate.cab
NL
compressed
94.8 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Feb2006_xact_x86.cab
NL
compressed
130 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Dec2006_d3dx10_00_x86.cab
NL
compressed
187 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Aug2007_xact_x86.cab
NL
compressed
150 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Apr2006_xact_x86.cab
NL
compressed
130 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Jun2007_xact_x86.cab
NL
compressed
150 Kb
whitelisted
3668
dxwsetup.exe
GET
200
104.111.214.189:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/Mar2008_x3daudio_x86.cab
NL
compressed
22.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3420
InputMapper 1.6.10.19991.exe
104.111.214.189:80
download.microsoft.com
Akamai International B.V.
NL
whitelisted
3668
dxwsetup.exe
104.111.214.189:80
download.microsoft.com
Akamai International B.V.
NL
whitelisted
3668
dxwsetup.exe
52.142.114.176:80
g.msn.com
Microsoft Corporation
IE
whitelisted
2748
RunOncePack.EXE
104.26.15.73:80
freegeoip.net
Cloudflare Inc
US
shared
1024
BBSetup.exe
20.41.62.11:80
g.ceipmsn.com
US
suspicious
332
vcredist_x86.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
download.microsoft.com
  • 104.111.214.189
whitelisted
g.msn.com
  • 52.142.114.176
whitelisted
freegeoip.net
  • 104.26.15.73
  • 104.26.14.73
malicious
g.ceipmsn.com
  • 20.41.62.11
suspicious
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted

Threats

PID
Process
Class
Message
3420
InputMapper 1.6.10.19991.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3668
dxwsetup.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3668
dxwsetup.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
1024
BBSetup.exe
Potential Corporate Privacy Violation
ET POLICY BingBar ToolBar User-Agent (BingBar)
1024
BBSetup.exe
Potential Corporate Privacy Violation
ET POLICY BingBar ToolBar User-Agent (BingBar)
6 ETPRO signatures available at the full report
Process
Message
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
Invalid parameter passed to C runtime function.
dxwsetup.exe
Invalid parameter passed to C runtime function.
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_ATTACH
dxwsetup.exe
DLL_PROCESS_DETACH
dxwsetup.exe
DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
InputMapper 1.6.10.19991.exe