Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5b1cxnTnnS.exe

Overview

General Information

Sample Name:5b1cxnTnnS.exe
Analysis ID:1315318
MD5:5225371f32a1ba8a5daa8f14ce64e8bf
SHA1:8f9221f0fd7c5cfe50f12337b5ce35f4c07c6e3e
SHA256:1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes many files with high entropy
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Tries to load missing DLLs
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Checks for available system drives (often done to infect USB drives)
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections

Classification

Process Tree

  • System is w10x64_ra
  • 5b1cxnTnnS.exe (PID: 1504 cmdline: C:\Users\user\Desktop\5b1cxnTnnS.exe MD5: 5225371F32A1BA8A5DAA8F14CE64E8BF)
    • dxwebsetup.exe (PID: 3764 cmdline: "C:\Users\user\AppData\Local\Temp\dxwebsetup.exe" MD5: 2CBD6AD183914A0C554F0739069E77D7)
      • dxwsetup.exe (PID: 2508 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe MD5: AC3A5F7BE8CD13A863B50AB5FE00B71C)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_d08cfd96442b25cc\MSVCR80.dll
Source: unknownHTTPS traffic detected: 151.101.2.132:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: z:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: x:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: v:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: t:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: r:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: p:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: n:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: l:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: j:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: h:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: f:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: b:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: y:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: w:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: u:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: s:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: q:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: o:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: m:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: k:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: i:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: g:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: e:
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile opened: c:
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: a:
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: httpd.apache.org
Source: unknownHTTPS traffic detected: 151.101.2.132:443 -> 192.168.2.3:49712 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

barindex
Writes many files with high entropy
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\dxupdate[1].cab entropy: 7.99005571784Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Dec2006_d3dx10_00_x64[1].cab entropy: 7.99694629492Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS52BC9A.tmp\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS52CE0F.tmp\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Jun2007_d3dx9_34_x86[1].cab entropy: 7.99906642826Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab entropy: 7.9989902264Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Aug2007_d3dx9_35_x86[1].cab entropy: 7.9991869164Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS52F945.tmp\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab entropy: 7.99894945695Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS5346C9.tmp\Jun2008_d3dx9_38_x86.cab entropy: 7.99972642235Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS534F74.tmp\Jun2008_d3dx10_38_x86.cab entropy: 7.99898013077Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS53248B.tmp\Nov2007_d3dx9_36_x86.cab entropy: 7.99907865291Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab entropy: 7.99885807363Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Mar2008_d3dx9_37_x86[1].cab entropy: 7.99972380205Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab entropy: 7.9996829971Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS53628E.tmp\Aug2008_d3dx10_39_x86.cab entropy: 7.99888618458Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Nov2008_d3dx9_40_x86[1].cab entropy: 7.99964527898Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\Nov2008_d3dx10_40_x86[1].cab entropy: 7.99901184706Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Mar2009_d3dx9_41_x86[1].cab entropy: 7.99977242309Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab entropy: 7.99875716031Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Aug2009_d3dx9_42_x86[1].cab entropy: 7.99947517428Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\Aug2009_d3dx10_42_x86[1].cab entropy: 7.99617858979Jump to dropped file
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: perfos.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: amsi.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: samlib.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: dxgi.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: dxcore.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: d3d11.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: d3d10warp.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: d3d10warp.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: d3d10warp.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: d3d10warp.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: edputil.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: cldapi.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: fltlib.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: appresolver.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeSection loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile deleted: C:\Windows\SysWOW64\directx\websetup\SET16C5.tmp
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\Logs\DirectX.log
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\5b1cxnTnnS.exe C:\Users\user\Desktop\5b1cxnTnnS.exe
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess created: C:\Users\user\AppData\Local\Temp\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\dxwebsetup.exe"
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess created: C:\Users\user\AppData\Local\Temp\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\dxwebsetup.exe"
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E449686-C509-11CF-AAFA-00AA00B6015C}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP32 DLL Mutex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXUPDATE DLL Mutex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\dxupdate[1].cab
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile created: C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
Source: classification engineClassification label: mal52.rans.evad.winEXE@5/51@1/20
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: 5b1cxnTnnS.exeStatic file information: File size 21521888 > 1048576
Source: 5b1cxnTnnS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 5b1cxnTnnS.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_d08cfd96442b25cc\MSVCR80.dll
Source: 5b1cxnTnnS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x126a00
Source: 5b1cxnTnnS.exeStatic PE information: Raw size of .pdata0 is bigger than: 0x100000 < 0x9a1600
Source: 5b1cxnTnnS.exeStatic PE information: Raw size of .pdata2 is bigger than: 0x100000 < 0x92aa00
Source: 5b1cxnTnnS.exeStatic PE information: section name: _RDATA
Source: 5b1cxnTnnS.exeStatic PE information: section name: .pdata0
Source: 5b1cxnTnnS.exeStatic PE information: section name: .pdata1
Source: 5b1cxnTnnS.exeStatic PE information: section name: .pdata2
Source: initial sampleStatic PE information: section where entry point is pointing to: .pdata2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile created: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeMemory written: PID: 1504 base: 7FFCB7290008 value: E9 AB CA EA FF
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeMemory written: PID: 1504 base: 7FFCB713CAB0 value: E9 60 35 15 00
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeProcess created: C:\Users\user\AppData\Local\Temp\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\dxwebsetup.exe"
Source: C:\Users\user\Desktop\5b1cxnTnnS.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Masquerading		1
Credential API Hooking		1
Security Software Discovery		1
Replication Through Removable Media		1
Credential API Hooking		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager11
Peripheral Device Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
DLL Side-Loading		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5b1cxnTnnS.exe11%ReversingLabsWin64.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\dxwebsetup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
httpd.apache.org
151.101.2.132
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    1.1.1.1
    		unknownAustralia
    		13335CLOUDFLARENETUSfalse
    184.50.44.210
    		unknownUnited States
    		16625AKAMAI-ASUSfalse
    151.101.2.132
    		httpd.apache.orgUnited States
    		54113FASTLYUSfalse

    General Information

    Joe Sandbox Version:38.0.0 Beryl
    Analysis ID:1315318
    Start date and time:2023-09-27 16:24:57 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample file name:5b1cxnTnnS.exe
    Detection:MAL
    Classification:mal52.rans.evad.winEXE@5/51@1/20
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 184.50.44.210
    • Excluded domains from analysis (whitelisted): dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, slscr.update.microsoft.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, download.microsoft.com
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtEnumerateValueKey calls found.
    • Report size getting too big, too many NtOpenKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: 5b1cxnTnnS.exe

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Aug2007_d3dx9_35_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1711360
    Entropy (8bit):7.999186916403002
    Encrypted:true
    SSDEEP:
    MD5:3ED592E6CDAE66B1C0671D9EC417A738
    SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
    SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
    SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
    Malicious:true
    Reputation:low
    Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Dec2006_d3dx10_00_x64[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):216015
    Entropy (8bit):7.996946294916653
    Encrypted:true
    SSDEEP:
    MD5:681407075E9B19E5EF2218832F6FAD71
    SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
    SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
    SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
    Malicious:true
    Reputation:low
    Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Mar2008_d3dx9_37_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):1446490
    Entropy (8bit):7.99972380205062
    Encrypted:true
    SSDEEP:
    MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
    SHA1:88846203588464C0BA19907C126C72F7D683B793
    SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
    SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
    Malicious:true
    Reputation:low
    Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\Mar2009_d3dx9_41_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):1615654
    Entropy (8bit):7.999772423092358
    Encrypted:true
    SSDEEP:
    MD5:901567428D8C82756D7BF5A406441BD7
    SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
    SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
    SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
    Malicious:true
    Reputation:low
    Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Aug2009_d3dx9_42_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):731664
    Entropy (8bit):7.999475174279291
    Encrypted:true
    SSDEEP:
    MD5:9BC8213933598D050827D20A4573486C
    SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
    SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
    SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
    Malicious:true
    Reputation:low
    Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Jun2007_d3dx9_34_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1610494
    Entropy (8bit):7.999066428256981
    Encrypted:true
    SSDEEP:
    MD5:FE8FEB215FAE59866DCD68C1604D97AA
    SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
    SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
    SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
    Malicious:true
    Reputation:low
    Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\Nov2008_d3dx9_40_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):1554004
    Entropy (8bit):7.999645278979612
    Encrypted:true
    SSDEEP:
    MD5:75556D89FDD442967A23993C9111D997
    SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
    SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
    SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
    Malicious:true
    Reputation:low
    Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BJM855OV\dxupdate[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):100360
    Entropy (8bit):7.9900557178400815
    Encrypted:true
    SSDEEP:
    MD5:4AFD7F5C0574A0EFD163740ECB142011
    SHA1:3EBCA5343804FE94D50026DA91647442DA084302
    SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
    SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
    Malicious:true
    Reputation:low
    Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\Aug2009_d3dx10_42_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
    Category:modified
    Size (bytes):195339
    Entropy (8bit):7.996178589789764
    Encrypted:true
    SSDEEP:
    MD5:F264AF5A36B889B4F17EB4D4F9680B4F
    SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
    SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
    SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
    Malicious:true
    Reputation:low
    Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\Nov2008_d3dx10_40_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):968629
    Entropy (8bit):7.999011847061652
    Encrypted:true
    SSDEEP:
    MD5:5DFEB46E60795266DA03F2D0A67E7ACD
    SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
    SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
    SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
    Malicious:true
    Reputation:low
    Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\Aug2006_xinput_x86[1].cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):49266
    Entropy (8bit):7.9632460736333766
    Encrypted:false
    SSDEEP:
    MD5:16B968CA0C435EE45E77A84C2D0364A9
    SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
    SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
    SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
    Malicious:false
    Reputation:low
    Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):95576
    Entropy (8bit):6.500059286855779
    Encrypted:false
    SSDEEP:
    MD5:984CAD22FA542A08C5D22941B888D8DC
    SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
    SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
    SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1566040
    Entropy (8bit):6.387345800194587
    Encrypted:false
    SSDEEP:
    MD5:A5412A144F63D639B47FCC1BA68CB029
    SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
    SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
    SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):66865
    Entropy (8bit):5.567626982635727
    Encrypted:false
    SSDEEP:
    MD5:B36D3F105D18E55534AD605CBF061A92
    SHA1:788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79
    SHA-256:C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
    SHA-512:35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93CAF5082C987F0C63F9D953ED7CB8D9271E03B62
    Malicious:false
    Reputation:low
    Preview:..[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DXUpdate_Feb2005_x86]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=990,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Feb2005_x64]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1220,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x64.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x86]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1055,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Apr2005_d3dx9_25_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x64]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1317

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):177152
    Entropy (8bit):6.549767948531931
    Encrypted:false
    SSDEEP:
    MD5:7ED554B08E5B69578F9DE012822C39C9
    SHA1:036D04513E134786B4758DEF5AFF83D19BF50C6E
    SHA-256:FB4F297E295C802B1377C6684734B7249D55743DFB7C14807BEF59A1B5DB63A2
    SHA-512:7AF5F9C4A3AD5C120BCDD681B958808ADA4D885D21AEB4A009A36A674AD3ECE9B51837212A982DB6142A6B5580E5B68D46971B802456701391CE40785AE6EBD9
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M.CM...M...MJ..M...M...M...M...M...M...M..KM...M..zM...M..{M...M..JM...M..MM...MRich...M................PE..L......M...........!.....j...n............................................................@.........................pw..V....j..........8.......................X...p...................................@...............8............................text....h.......j.................. ..`.data....:...........n..............@....rsrc...8...........................@..@.reloc..0&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.inf

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):12848
    Entropy (8bit):5.071095411173453
    Encrypted:false
    SSDEEP:
    MD5:E6A74342F328AFA559D5B0544E113571
    SHA1:A08B053DFD061391942D359C70F9DD406A968B7D
    SHA-256:93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA
    SHA-512:1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD
    Malicious:false
    Reputation:low
    Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"....[MDXDLLs]..Microsoft.DirectX.AudioVideoPlayback.dll..Microsoft.DirectX.Diagnostics.dll..Microsoft.DirectX.Direct3D.dll..Microsoft.DirectX.Direct3DX.dll..Microsoft.DirectX.DirectDraw.dll..Microsoft.DirectX.DirectInput.dll..Microsoft.DirectX.DirectPlay.dll..Microsoft.DirectX.DirectSound.dll..Microsoft.DirectX.dll......; ---- Windows 98 ----..[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_d3dx9_24_x86.cab]..NumberOfFiles=4..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..d3dx9_24_w9x.inf....[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_MDX_x86.MSI]..NumberOfFiles=1..Size=1788 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..Dependencies=feb2005_d3dx9_24_x86.cab..Feb2005_MDX_x86.MSI......; ---- Windows ME ----..[4.09.00.0904.00-4.09.00.0904.00_WinME_Feb2005_d3dx9_24_x86.cab]..N

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

    Download File
    Process:C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):57743
    Entropy (8bit):5.690177677673679
    Encrypted:false
    SSDEEP:
    MD5:7B1FBE9F5F43B2261234B78FE115CF8E
    SHA1:DD0F256AE38B4C4771E1D1EC001627017B7BB741
    SHA-256:762FF640013DB2BD4109D7DF43A867303093815751129BD1E33F16BF02E52CCE
    SHA-512:D21935A9867C0F2F7084917C79FBB1DA885A1BFD4793CF669FF4DA8C777B3A201857250BFB7C2B616625A8D3573C68395D210446D2C284B41CF09CC7CBB07885
    Malicious:false
    Reputation:low
    Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1974,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

    Download File
    Process:C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):527360
    Entropy (8bit):6.071483982747115
    Encrypted:false
    SSDEEP:
    MD5:AC3A5F7BE8CD13A863B50AB5FE00B71C
    SHA1:EEE417CD92E263B84DD3B5DCC2B4B463FE6E84D9
    SHA-256:8F5E89298E3DC2E22D47515900C37CCA4EE121C5BA06A6D962D40AD6E1A595DA
    SHA-512:C8BBE791373DAD681F0AC9F5AB538119BDE685D4F901F5DB085C73163FC2E868972B2DE60E72CCD44F745F1FD88FCDE2E27F32302D8CBD3C1F43E6E657C79FBA
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NQ.2.0ga.0ga.0ga-..a/0ga-..a.0ga-..a.0ga.H.a.0ga.0fa.0gaeF.a.0gaeF.a.0gaeF.a.0gaeF.a.0gaRich.0ga................PE..L......M..................... ...............................................P......._....@...... ..........................|........@..$....................0.......................................U..@............................................text............................... ..`.data....3..........................@....rsrc...$....@......................@..@.reloc.......0... ..................@..B................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

    Download File
    Process:C:\Users\user\AppData\Local\Temp\dxwebsetup.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):477
    Entropy (8bit):5.237059564403252
    Encrypted:false
    SSDEEP:
    MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
    SHA1:4CCD8E038D73A5361D754C7598ED238FC040D16B
    SHA-256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
    SHA-512:5C805D78BAFFF06C36B5DF6286709DDF2D36808280F92E62DC4C285EDD9176195A764D5CF0BB000DA53CA8BBF66DDD61D852E4259E3113F6529E2D7BDBDD6E28
    Malicious:false
    Reputation:low
    Preview:[Version]..Signature="$CHICAGO$"..AdvancedINF=2.0..Provider = %MSFT%....[SourceDisksNames]..1 = %DiskName%,DXWSETUP.EXE,0....[SourceDisksFiles]..dsetup.dll=1..dsetup32.dll=1....[DestinationDirs]..DSetupDLL=11,directx\websetup....[DirectX_WinNT]..CopyFiles=DSetupDLL....[DirectX_Win9X]..CopyFiles=DSetupDLL....[CleanUp]..DelFiles=DSetupDLL....[DSetupDLL]..dsetup.dll,,,32..dsetup32.dll,,,32....[Strings]..MSFT = "Microsoft"..DiskName = "DXWSETUP"....

    C:\Users\user\AppData\Local\Temp\dxwebsetup.exe

    Download File
    Process:C:\Users\user\Desktop\5b1cxnTnnS.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
    Category:dropped
    Size (bytes):295320
    Entropy (8bit):7.749011498049896
    Encrypted:false
    SSDEEP:
    MD5:2CBD6AD183914A0C554F0739069E77D7
    SHA1:7BF35F2AFCA666078DB35CA95130BEB2E3782212
    SHA-256:2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F
    SHA-512:FF1AF2D2A883865F2412DDDCD68006D1907A719FE833319C833F897C93EE750BAC494C0991170DC1CF726B3F0406707DAA361D06568CD610EEB4ED1D9C0FBB10
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......->..i_.i_.i_..|.d_.i_.._..|..h_..|.q_..|.h_.Richi_.........PE..L...!.};............................^Z...............................................J...............................................................^...#...........................................................................................text............................... ..`.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Logs\DirectX.log

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):44144
    Entropy (8bit):5.345016064078353
    Encrypted:false
    SSDEEP:
    MD5:BD2B3B38325696AD21843523028FCEDD
    SHA1:7692A4FFA847BBD680702A47D1A3085AC996F0C2
    SHA-256:FC1ED9D7C933AE408E1FDBA68430BBDF2CFED251D5FEB5A46C54DFF26D09DDBE
    SHA-512:564AE5CD0FD773FDEB8538B3A4A183C463F55340E8C011113E25F14EF2119C82FD6EDF92B033700681A75195FE982EFE2B41D3DB0DDEAF97F48AB6B7D92D9BF5
    Malicious:false
    Reputation:low
    Preview:09/27/23 16:25:45: DXWSetup: ***** DXWSETUP *****..09/27/23 16:25:45: DXWSetup: WinMain()..09/27/23 16:25:45: DXWSetup: IsIA64(): not IA64...09/27/23 16:25:45: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup.dll..09/27/23 16:25:45: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup.dll..09/27/23 16:25:46: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup32.dll..09/27/23 16:25:46: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup32.dll..09/27/23 16:25:46: DXWSetup: GetDXVersion(): Unable to get RC string from registry...09/27/23 16:25:46: DXWSetup: DirectX Version: 4.09.00.0904.00..09/27/23 16:25:46: DXWSetup: Setup Version: 4.09.00.0904.00..09/27/23 16:25:46: DXWSetup: A newer version of DirectX have been installed already...09/27/23 16:25:55: DXWSetup: CDXWSetup::CDXWSetup()..09/27/23 16:25:55: DXWSetup: CDXWSetup::DownloadDXUpdate()..09/27/23 16:25:55: DXWSetup: On

    C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1082170
    Entropy (8bit):7.999075135168916
    Encrypted:true
    SSDEEP:
    MD5:9C5DCA423D9D68349D290DF291DDBEEF
    SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
    SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
    SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
    Malicious:true
    Reputation:low
    Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

    C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1118429
    Entropy (8bit):7.999050518080374
    Encrypted:true
    SSDEEP:
    MD5:B3D644A116C54AFDA42A61B0058BE112
    SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
    SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
    SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
    Malicious:true
    Reputation:low
    Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

    C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x64.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):90309
    Entropy (8bit):7.986243949537019
    Encrypted:false
    SSDEEP:
    MD5:B0669F7D395078BEE0087B089F0B45C5
    SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
    SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
    SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
    Malicious:false
    Reputation:low
    Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

    C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):49218
    Entropy (8bit):7.962835058038329
    Encrypted:false
    SSDEEP:
    MD5:E207FB904E641246F3F7234DB74121FC
    SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
    SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
    SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
    Malicious:false
    Reputation:low
    Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

    C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1609247
    Entropy (8bit):7.999284261824255
    Encrypted:true
    SSDEEP:
    MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
    SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
    SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
    SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
    Malicious:true
    Reputation:low
    Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

    C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):56510
    Entropy (8bit):7.973777529821975
    Encrypted:false
    SSDEEP:
    MD5:B362EC93463D8B6381A864D35D38C512
    SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
    SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
    SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
    Malicious:false
    Reputation:low
    Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

    C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):1467880
    Entropy (8bit):7.999682997096517
    Encrypted:true
    SSDEEP:
    MD5:4379902C4180A9A6BF40B847372CEC5A
    SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
    SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
    SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
    Malicious:true
    Reputation:low
    Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

    C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1082664
    Entropy (8bit):7.999121865147412
    Encrypted:true
    SSDEEP:
    MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
    SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
    SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
    SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
    Malicious:true
    Reputation:low
    Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

    C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):194952
    Entropy (8bit):7.9966042762544145
    Encrypted:true
    SSDEEP:
    MD5:75C33157D8A1B123D01B2EAC91573C98
    SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
    SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
    SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
    Malicious:true
    Reputation:low
    Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

    C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1577608
    Entropy (8bit):7.999092247669469
    Encrypted:true
    SSDEEP:
    MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
    SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
    SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
    SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
    Malicious:true
    Reputation:low
    Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

    C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1016433
    Entropy (8bit):7.998972724711677
    Encrypted:true
    SSDEEP:
    MD5:7029866BA46EC477449510BEEE74F473
    SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
    SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
    SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
    Malicious:true
    Reputation:low
    Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

    C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1068133
    Entropy (8bit):7.999040217820951
    Encrypted:true
    SSDEEP:
    MD5:029359EBCA4BA5945282E0C021B26102
    SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
    SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
    SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
    Malicious:true
    Reputation:low
    Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

    C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):701680
    Entropy (8bit):7.9989902264021255
    Encrypted:true
    SSDEEP:
    MD5:19383CBADA5DF3662303271CC9882314
    SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
    SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
    SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
    Malicious:true
    Reputation:low
    Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

    C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):821468
    Entropy (8bit):7.9989494569533655
    Encrypted:true
    SSDEEP:
    MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
    SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
    SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
    SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
    Malicious:true
    Reputation:low
    Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

    C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1043953
    Entropy (8bit):7.998757160305283
    Encrypted:true
    SSDEEP:
    MD5:45E83CBA5710A1DE7D3990A288122E85
    SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
    SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
    SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
    Malicious:true
    Reputation:low
    Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

    C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):807092
    Entropy (8bit):7.998858073625772
    Encrypted:true
    SSDEEP:
    MD5:3D9A0C59156D03DA0F19C2440E695637
    SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
    SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
    SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
    Malicious:true
    Reputation:low
    Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

    C:\Windows\SysWOW64\directx\websetup\filelist.dat

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Generic INItialization configuration [DXUpdate]
    Category:dropped
    Size (bytes):5452
    Entropy (8bit):5.296546074801564
    Encrypted:false
    SSDEEP:
    MD5:F4A24CFC71E957C79A5DF8E303D293E4
    SHA1:DA423130E0A6E6D46853E5D7AE2ABFF6AD3CA462
    SHA-256:C99E96345653C78E8ABE859C053BD20E5FEAAECEBF3C5BFE7E3033149C8603A9
    SHA-512:45A226595BF0E12A756C4F0645AAE3B0A06DC2A52034005DD532E9E3DE5302AFE0BA3FA2ACED5AE658B589C9246FF79323D03716DC303A6AD0EDC7E3BFE2AD8E
    Malicious:false
    Reputation:low
    Preview:[General]..Version=1..[DXUpdate]..Version=9,29,1974,0..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=100360,dxupdate.cab..[DXUpdate_Apr2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49218,Apr2006_xinput_x86.cab..[DXUpdate_Apr2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90309,Apr2006_xinput_x64.cab..[DXUpdate_Aug2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49266,Aug2006_xinput_x86.cab..[DXUpdate_Aug2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90350,Aug2006_xinput_x64.cab..[DXUpdate_Dec2006_d3dx10_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=194952,Dec2006_d3dx10_00_x86.cab..[DXUpdate_Dec2006_d3dx10_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=216015,Dec2006_d3dx10_00_x64.cab..[DXUpdate

    C:\Windows\msdownld.tmp\AS52834A.tmp\Aug2006_xinput_x64.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):90350
    Entropy (8bit):7.985841057262195
    Encrypted:false
    SSDEEP:
    MD5:A9D582E44E46E36F37EDB7CBC761179D
    SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
    SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
    SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
    Malicious:false
    Reputation:low
    Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

    C:\Windows\msdownld.tmp\AS529BE3.tmp\Apr2007_xinput_x64.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):100025
    Entropy (8bit):7.988437274786544
    Encrypted:false
    SSDEEP:
    MD5:FAE84E0773A74F367124C6D871516B7B
    SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
    SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
    SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
    Malicious:false
    Reputation:low
    Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

    C:\Windows\msdownld.tmp\AS52BC9A.tmp\Aug2005_d3dx9_27_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1080852
    Entropy (8bit):7.999138982152864
    Encrypted:true
    SSDEEP:
    MD5:3E91448A7481A78318DCE123790EE31A
    SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
    SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
    SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
    Malicious:true
    Reputation:low
    Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

    C:\Windows\msdownld.tmp\AS52CE0F.tmp\Feb2006_d3dx9_29_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1087928
    Entropy (8bit):7.99922866964108
    Encrypted:true
    SSDEEP:
    MD5:F6CC1C08D0F569B5F59108D39CE3508B
    SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
    SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
    SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
    Malicious:true
    Reputation:low
    Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

    C:\Windows\msdownld.tmp\AS52F945.tmp\Apr2007_d3dx10_33_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):699073
    Entropy (8bit):7.998968028413629
    Encrypted:true
    SSDEEP:
    MD5:F784B8A0FD84C8AC3F218A9842D8DA56
    SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
    SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
    SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
    Malicious:true
    Reputation:low
    Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

    C:\Windows\msdownld.tmp\AS53248B.tmp\Nov2007_d3dx9_36_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):1712568
    Entropy (8bit):7.999078652914364
    Encrypted:true
    SSDEEP:
    MD5:C5E127067EE6CACDD2F8962E6005542E
    SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
    SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
    SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
    Malicious:true
    Reputation:low
    Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

    C:\Windows\msdownld.tmp\AS5346C9.tmp\Jun2008_d3dx9_38_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
    Category:dropped
    Size (bytes):1467086
    Entropy (8bit):7.999726422350297
    Encrypted:true
    SSDEEP:
    MD5:E2FB2E37C342983493C776BD81943978
    SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
    SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
    SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
    Malicious:true
    Reputation:low
    Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

    C:\Windows\msdownld.tmp\AS534F74.tmp\Jun2008_d3dx10_38_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):853127
    Entropy (8bit):7.998980130768887
    Encrypted:true
    SSDEEP:
    MD5:B0E2B612DAF28B145B197A4DB0A9B721
    SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
    SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
    SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
    Malicious:true
    Reputation:low
    Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

    C:\Windows\msdownld.tmp\AS53628E.tmp\Aug2008_d3dx10_39_x86.cab

    Download File
    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
    Category:dropped
    Size (bytes):852375
    Entropy (8bit):7.998886184584254
    Encrypted:true
    SSDEEP:
    MD5:5380053AC4C344BD38604022476B1C1D
    SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
    SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
    SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
    Malicious:true
    Reputation:low
    Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):7.337609080925835
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:5b1cxnTnnS.exe
    File size:21'521'888 bytes
    MD5:5225371f32a1ba8a5daa8f14ce64e8bf
    SHA1:8f9221f0fd7c5cfe50f12337b5ce35f4c07c6e3e
    SHA256:1743f4a392b6d2ad0d47a7a57e277e1a29ecf459275b604919a6131739afdaad
    SHA512:a5e1af8d9e26202ea874661476692f400b07595f06992b82dcff950fcfaf31e052c2b85460ec20f761a10618ca4b9591ec97bd5a1642d3c2f7657468f79f8f17
    SSDEEP:196608:7sb6uVDaIoYu4c6XsL5hePNABvAw819mJxaMR/wiArvjtbJYvwRYrs0VXuoWk5CM:Qb6ukx4dAvdRJxsRtOeYLmcDF
    TLSH:DE2712C7E59541F8C0C3857062466396B5B0B85E82BCAE3F3EC52C023E25EA7964DF76
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e..........#....$.j...(.................@..............................H......PH... ................................

    File Icon

    Icon Hash:010905619293c52c

    Static PE Info

    General

    Entrypoint:0x140dabac2
    Entrypoint Section:.pdata2
    Digitally signed:true
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x651286B4 [Tue Sep 26 07:22:28 2023 UTC]
    TLS Callbacks:0x40b69626, 0x1, 0x400ec8b0, 0x1
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:de79444535980bb1ec949331a1b89433

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1, O="DigiCert, Inc.", C=US
    Signature Validation Error:The digital signature of the object did not verify
    Error Number:-2146869232
    Not Before, Not After
    • 7/27/2021 2:00:00 AM 8/7/2024 1:59:59 AM
    Subject Chain
    • CN=VS Revo Group Ltd., O=VS Revo Group Ltd., L=Ruse, C=BG, SERIALNUMBER=200204019, OID.1.3.6.1.4.1.311.60.2.1.3=BG, OID.2.5.4.15=Private Organization
    Version:3
    Thumbprint MD5:1884464E49C1DFC765B837961EA25568
    Thumbprint SHA-1:68A7EC9C14F45C97E8A743552672971C2DCB0A29
    Thumbprint SHA-256:8DBF178B186FD778052FF6AF8D168C71912553561FD9B8B8A643F97C9EC4607B
    Serial:07ED134B1ECF561A9EB5B05388BFF047

    Entrypoint Preview

    Instruction
    call 00007F1F2D43CA4Ch
    add dword ptr [esi], 90E05C6Ah
    jnc 00007F1F2D3C7AADh
    sbb edx, dword ptr [eax-3821604Ch]
    xchg eax, ebx
    stosd
    aad 3Eh
    arpl word ptr [ebx+34571C2Ah], bp
    adc al, 8Fh
    fsubr dword ptr [edi+1Bh]
    aam 84h
    sal ebx, cl
    outsd
    inc ebx
    int3
    cld
    sal ebx, cl
    outsd
    mov ebx, F3D3747Ch
    outsd
    salc
    int3
    les ecx, fword ptr [ebp-01h]
    outsd
    mov si, seg?
    dec edx
    jmp far 0C66h : ED72B5D9h
    std
    or al, byte ptr [bp+si+1Eh]
    sti
    sbb esi, ebp
    movsb
    in eax, E8h
    cmp edi, dword ptr [edx-1Eh]
    jnc 00007F1F2D3C79CEh
    das
    test eax, edx
    pop ebp
    hlt
    pop eax
    out dx, eax
    inc ecx
    add ebp, eax
    sub byte ptr [esi-72h], 0000000Eh
    xchg eax, esi
    and al, byte ptr [edx-27h]
    push ebx
    add eax, 076AE230h
    loopne 00007F1F2D3C7A51h
    xchg byte ptr [edx], al
    out 81h, eax
    push ss
    push FFFFFF9Dh
    push eax

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xe2e4280x17c.pdata2
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x147f0000x9073.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1473db00xaba8.pdata2
    IMAGE_DIRECTORY_ENTRY_SECURITY0x14830000x35e0.rsrc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0xdcf5a80x28.pdata2
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1473c700x140.pdata2
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xb530000x148.pdata1
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1268600x126a00False0.46062344214043277data6.388795909451276IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1280000x7cc360x7ce00False0.4595884947447447data5.290789572856671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x1a50000x1e580xc00False0.15071614583333334data2.0714123844059205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x1a70000x82b00x8400False0.9719164299242424data7.979667612473192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    _RDATA0x1b00000x15c0x200False0.408203125data3.3084720533769074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .pdata00x1b10000x9a15610x9a1600unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .pdata10xb530000xe700x1000False0.034423828125data0.21629586456964964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata20xb540000x92a9580x92aa00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x147f0000x90730x9200False0.11801690924657535data3.639048237683422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x147f1a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07422059518186112
    RT_ICON0x14833d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08703319502074688
    RT_ICON0x14859780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16463414634146342
    RT_ICON0x1486a200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.18565573770491803
    RT_ICON0x14873a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3262411347517731
    RT_GROUP_ICON0x14878100x4cdataEnglishUnited States0.8026315789473685
    RT_MANIFEST0x14878600x813XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.41025641025641024

    Imports

    DLLImport
    user32.dllMessageBoxW
    pdh.dllPdhGetFormattedCounterValue
    kernel32.dllSetThreadContext
    iphlpapi.dllGetIfEntry2
    netapi32.dllNetApiBufferFree
    secur32.dllAcceptSecurityContext
    advapi32.dllRegSetValueExW
    bcrypt.dllBCryptGenRandom
    shell32.dllCommandLineToArgvW
    ole32.dllCoSetProxyBlanket
    ws2_32.dllshutdown
    ntdll.dllNtQuerySystemInformation
    crypt32.dllCertOpenStore
    powrprof.dllCallNtPowerInformation
    oleaut32.dllGetErrorInfo
    psapi.dllGetModuleFileNameExW
    kernel32.dllGetSystemTimeAsFileTime
    kernel32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States