Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Palworld.zip

Overview

General Information

Sample name:Palworld.zip
Analysis ID:1383505
MD5:4af36f42ac61e323cfa0de0eed389cbd
SHA1:0e407221f4c2ec47349c8c082bd8c9a48b6fba82
SHA256:aeb353769a5660d11af3fe28faf383cef65ba1ec9e1ba17d60c12a77bffde2fb
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6132 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • dxwebsetup.exe (PID: 2268 cmdline: "C:\Users\user\Desktop\Palworld\dxwebsetup.exe" MD5: 2CBD6AD183914A0C554F0739069E77D7)
  • dxwebsetup.exe (PID: 2220 cmdline: "C:\Users\user\Desktop\Palworld\dxwebsetup.exe" MD5: 2CBD6AD183914A0C554F0739069E77D7)
    • dxwsetup.exe (PID: 6588 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe MD5: AC3A5F7BE8CD13A863B50AB5FE00B71C)
  • Palworld.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\Palworld\Palworld.exe" MD5: A9181A14270AD54407A16516C05817BE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, CommandLine: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, ParentCommandLine: "C:\Users\user\Desktop\Palworld\dxwebsetup.exe" , ParentImage: C:\Users\user\Desktop\Palworld\dxwebsetup.exe, ParentProcessId: 2220, ParentProcessName: dxwebsetup.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, ProcessId: 6588, ProcessName: dxwsetup.exe
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Palworld\dxwebsetup.exe, ProcessId: 2220, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: DSETUP.pdb source: SETA517.tmp.10.dr
Source: Binary string: DSETUP.pdb0 source: SETA517.tmp.10.dr
Source: Binary string: wextract.pdb source: dxwebsetup.exe
Source: Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: Palworld.exe
Source: Binary string: dxwsetup.pdb source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873601596.0000000000971000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: wextract.pdbU source: dxwebsetup.exe
Source: Binary string: dxupdate.pdb source: dxwsetup.exe, dxwsetup.exe, 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: z:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: x:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: v:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: t:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: r:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: p:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: n:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: l:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: j:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: h:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: f:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: b:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: y:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: w:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: u:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: s:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: q:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: o:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: m:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: k:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: i:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: g:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeCode function: 8_2_01001C7F lstrcpy,lstrcpy,lstrcat,lstrcat,FindFirstFileA,lstrcpy,lstrcmp,lstrcmp,lstrcat,lstrcat,FindNextFileA,FindClose,RemoveDirectoryA,8_2_01001C7F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDA3EB FindFirstFileA,FindClose,10_2_6CBDA3EB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE1473 WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_memset,FindFirstFileA,FindClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,10_2_6CBE1473
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDD86D GetWindowsDirectoryA,GetLastError,_strrchr,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,10_2_6CBDD86D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDE7AF lstrcmpA,_memset,GetSystemDirectoryA,GetLastError,StringFromGUID2,WideCharToMultiByte,GetLastError,FindFirstFileA,FindNextFileA,FindClose,10_2_6CBDE7AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDFB07 _memset,_memset,GetWindowsDirectoryA,GetLastError,_memset,FindFirstFileA,lstrcmpA,lstrcmpA,GetFileAttributesA,GetLastError,FindNextFileA,FindClose,10_2_6CBDFB07
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: dxwsetup.exe, 0000000A.00000003.2235122878.0000000005416000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.2180845208.0000000005412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download.microsoft.co
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873601596.0000000000971000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1EWISV70/NP01_InstallerBing
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewcscz70/SettingsPrivacy&http://g.msn.com/1ewcscz70/InstallerMU%Optionale
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewcscz70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewdede70/SettingsPrivacy&http://g.msn.com/1ewdede70/InstallerMU#DirectX
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewdede70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewenus70/SettingsPrivacy&http://g.msn.com/1ewenus70/InstallerMUPA
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewenus70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1eweses70/SettingsPrivacy&http://g.msn.com/1eweses70/InstallerMU$DirectX
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1eweses70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewfrfr70/SettingsPrivacy&http://g.msn.com/1ewfrfr70/InstallerMU&Componenti
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewfrfr70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewitit70/SettingsPrivacy&http://g.msn.com/1ewitit70/InstallerMU
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewitit70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewjajp70/SettingsPrivacy&http://g.msn.com/1ewjajp70/InstallerMU
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewjajp70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewkokr70/SettingsPrivacy&http://g.msn.com/1ewkokr70/InstallerMU(Optionele
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewkokr70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewnlnl70/SettingsPrivacy&http://g.msn.com/1ewnlnl70/InstallerMU0Opcjonalne
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewnlnl70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewplpl70/SettingsPrivacy&http://g.msn.com/1ewplpl70/InstallerMU5Componentes
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewplpl70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewptbr70/SettingsPrivacy&http://g.msn.com/1ewptbr70/InstallerMU-
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewptbr70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewruru70/SettingsPrivacy&http://g.msn.com/1ewruru70/InstallerMU&Valfria
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewruru70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewsvse70/SettingsPrivacy&http://g.msn.com/1ewsvse70/InstallerMU
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewsvse70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewzhcn70/SettingsPrivacy&http://g.msn.com/1ewzhcn70/InstallerMU8Componentes
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewzhcn70/SettingsTermUse
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewzhtw70/SettingsPrivacy&http://g.msn.com/1ewzhtw70/InstallerMU#Voliteln
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://g.msn.com/1ewzhtw70/SettingsTermUse
Source: dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmp, dxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.BetaPlace.com
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.BetaPlace.com.?
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.BetaPlace.comEContinuare
Source: dxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betaplace.com
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betaplace.com.
Source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.betaplace.com.DInstalacn
Source: dxwsetup.exe, 0000000A.00000003.2394688377.00000000053FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.mic
Source: dxwsetup.exe, 0000000A.00000003.1966217841.0000000001273000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.1952407567.000000000125D000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000002.2965092882.000000000126A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com

Spam, unwanted Advertisements and Ransom Demands

barindex
Writes many files with high entropy
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2007_d3dx10_33_x64[1].cab entropy: 7.99956097649Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6A7A.tmp\Aug2008_d3dx9_39_x86.cab entropy: 7.9996829971Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F23F7.tmp\Apr2007_d3dx10_33_x64.cab entropy: 7.99956097649Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab entropy: 7.9996829971Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x64.cab entropy: 7.99956097649Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2008_d3dx10_39_x86[1].cab entropy: 7.99888618458Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2007_xact_x86[1].cab entropy: 7.99449196682Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6FE9.tmp\Aug2008_d3dx10_39_x86.cab entropy: 7.99888618458Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F28E8.tmp\Apr2007_xact_x86.cab entropy: 7.99449196682Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx10_39_x86.cab entropy: 7.99888618458Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x86.cab entropy: 7.99449196682Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Nov2008_d3dx9_40_x86[1].cab entropy: 7.99964527898Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Apr2007_xact_x64[1].cab entropy: 7.99671826657Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7509.tmp\Nov2008_d3dx9_40_x86.cab entropy: 7.99964527898Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F2CB1.tmp\Apr2007_xact_x64.cab entropy: 7.99671826657Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx9_40_x86.cab entropy: 7.99964527898Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x64.cab entropy: 7.99671826657Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Nov2008_d3dx10_40_x86[1].cab entropy: 7.99901184706Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2007_d3dx9_34_x64[1].cab entropy: 7.99979539491Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7AA7.tmp\Nov2008_d3dx10_40_x86.cab entropy: 7.99901184706Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\dxupdate[1].cab entropy: 7.99005571784Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DBD43.tmp\dxupdate.cab entropy: 7.99005571784Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dxupdate.cab entropy: 7.99005571784Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F30A9.tmp\Jun2007_d3dx9_34_x64.cab entropy: 7.99979539491Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx10_40_x86.cab entropy: 7.99901184706Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x64.cab entropy: 7.99979539491Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Mar2009_d3dx9_41_x86[1].cab entropy: 7.99977242309Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7FC7.tmp\Mar2009_d3dx9_41_x86.cab entropy: 7.99977242309Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2007_d3dx10_34_x64[1].cab entropy: 7.99954275121Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx9_41_x86.cab entropy: 7.99977242309Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F3627.tmp\Jun2007_d3dx10_34_x64.cab entropy: 7.99954275121Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x64.cab entropy: 7.99954275121Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Mar2009_d3dx10_41_x86[1].cab entropy: 7.99875716031Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2007_xact_x86[1].cab entropy: 7.99490970306Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E8565.tmp\Mar2009_d3dx10_41_x86.cab entropy: 7.99875716031Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F3AEA.tmp\Jun2007_xact_x86.cab entropy: 7.99490970306Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab entropy: 7.99875716031Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x86.cab entropy: 7.99490970306Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2009_d3dx9_42_x86[1].cab entropy: 7.99947517428Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2007_xact_x64[1].cab entropy: 7.99632463398Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E8A66.tmp\Aug2009_d3dx9_42_x86.cab entropy: 7.99947517428Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F3EC2.tmp\Jun2007_xact_x64.cab entropy: 7.99632463398Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx9_42_x86.cab entropy: 7.99947517428Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x64.cab entropy: 7.99632463398Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2009_d3dx10_42_x86[1].cab entropy: 7.99617858979Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2007_d3dx9_35_x64[1].cab entropy: 7.99981610566Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E8F39.tmp\Aug2009_d3dx10_42_x86.cab entropy: 7.99617858979Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F42E9.tmp\Aug2007_d3dx9_35_x64.cab entropy: 7.99981610566Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx10_42_x86.cab entropy: 7.99617858979Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x64.cab entropy: 7.99981610566Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2009_d3dx11_42_x86[1].cab entropy: 7.99133262696Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2007_d3dx10_35_x64[1].cab entropy: 7.99946574434Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E9311.tmp\Aug2009_d3dx11_42_x86.cab entropy: 7.99133262696Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F48B5.tmp\Aug2007_d3dx10_35_x64.cab entropy: 7.99946574434Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx11_42_x86.cab entropy: 7.99133262696Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x64.cab entropy: 7.99946574434Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2009_d3dcsx_42_x86[1].cab entropy: 7.99929609474Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E96BA.tmp\Aug2009_d3dcsx_42_x86.cab entropy: 7.99929609474Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dcsx_42_x86.cab entropy: 7.99929609474Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_d3dx10_00_x86[1].cab entropy: 7.99660427625Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DEFDC.tmp\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2006_d3dx10_00_x64[1].cab entropy: 7.99694629492Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DF3D3.tmp\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2009_D3DCompiler_42_x86[1].cab entropy: 7.99844166401Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E9DFE.tmp\Aug2009_D3DCompiler_42_x86.cab entropy: 7.99844166401Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_D3DCompiler_42_x86.cab entropy: 7.99844166401Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2010_d3dx9_43_x86[1].cab entropy: 7.99938038089Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EA2FF.tmp\Jun2010_d3dx9_43_x86.cab entropy: 7.99938038089Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx9_43_x86.cab entropy: 7.99938038089Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2010_d3dx10_43_x86[1].cab entropy: 7.99666344587Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EA7A3.tmp\Jun2010_d3dx10_43_x86.cab entropy: 7.99666344587Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx10_43_x86.cab entropy: 7.99666344587Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2010_d3dx11_43_x86[1].cab entropy: 7.9918106197Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Feb2005_d3dx9_24_x86[1].cab entropy: 7.99897272471Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DFE72.tmp\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2005_d3dx9_25_x86[1].cab entropy: 7.99907513517Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0373.tmp\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2005_d3dx9_26_x86[1].cab entropy: 7.99904021782Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EAB9A.tmp\Jun2010_d3dx11_43_x86.cab entropy: 7.9918106197Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx11_43_x86.cab entropy: 7.9918106197Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2010_d3dcsx_43_x86[1].cab entropy: 7.99695515494Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EAF05.tmp\Jun2010_d3dcsx_43_x86.cab entropy: 7.99695515494Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dcsx_43_x86.cab entropy: 7.99695515494Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2010_D3DCompiler_43_x86[1].cab entropy: 7.99831524311Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EB3B8.tmp\Jun2010_D3DCompiler_43_x86.cab entropy: 7.99831524311Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_D3DCompiler_43_x86.cab entropy: 7.99831524311Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Feb2005_d3dx9_24_x64[1].cab entropy: 7.99956721817Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EB8D9.tmp\Feb2005_d3dx9_24_x64.cab entropy: 7.99956721817Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0855.tmp\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2005_d3dx9_27_x86[1].cab entropy: 7.99913898215Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0D47.tmp\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2005_d3dx9_28_x86[1].cab entropy: 7.99912186515Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E1239.tmp\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Feb2006_d3dx9_29_x86[1].cab entropy: 7.99922866964Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E172A.tmp\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x64.cab entropy: 7.99956721817Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2005_d3dx9_25_x64[1].cab entropy: 7.99971456955Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EBE19.tmp\Apr2005_d3dx9_25_x64.cab entropy: 7.99971456955Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x64.cab entropy: 7.99971456955Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2005_d3dx9_26_x64[1].cab entropy: 7.9996191239Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EC349.tmp\Jun2005_d3dx9_26_x64.cab entropy: 7.9996191239Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x64.cab entropy: 7.9996191239Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2005_d3dx9_27_x64[1].cab entropy: 7.99967199939Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EC898.tmp\Aug2005_d3dx9_27_x64.cab entropy: 7.99967199939Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x64.cab entropy: 7.99967199939Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2006_d3dx9_30_x86[1].cab entropy: 7.99905051808Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E1C5A.tmp\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Oct2006_d3dx9_31_x86[1].cab entropy: 7.99908172452Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E215C.tmp\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2005_d3dx9_28_x64[1].cab entropy: 7.9996739284Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6ECDC8.tmp\Dec2005_d3dx9_28_x64.cab entropy: 7.9996739284Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x64.cab entropy: 7.9996739284Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Feb2006_d3dx9_29_x64[1].cab entropy: 7.99967777757Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6ED327.tmp\Feb2006_d3dx9_29_x64.cab entropy: 7.99967777757Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x64.cab entropy: 7.99967777757Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Feb2006_xact_x86[1].cab entropy: 7.99214177755Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6ED8B5.tmp\Feb2006_xact_x86.cab entropy: 7.99214177755Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x86.cab entropy: 7.99214177755Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Feb2006_xact_x64[1].cab entropy: 7.99567918868Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_d3dx9_32_x86[1].cab entropy: 7.99909224767Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E265D.tmp\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2007_d3dx9_33_x86[1].cab entropy: 7.99928426182Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E2BFA.tmp\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2007_d3dx10_33_x86[1].cab entropy: 7.99896802841Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E31A7.tmp\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2007_d3dx9_34_x86[1].cab entropy: 7.99906642826Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EDC5F.tmp\Feb2006_xact_x64.cab entropy: 7.99567918868Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x64.cab entropy: 7.99567918868Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2006_d3dx9_30_x64[1].cab entropy: 7.99967825236Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EE018.tmp\Apr2006_d3dx9_30_x64.cab entropy: 7.99967825236Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x64.cab entropy: 7.99967825236Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2006_xact_x86[1].cab entropy: 7.99281124378Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EE5B5.tmp\Apr2006_xact_x86.cab entropy: 7.99281124378Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x86.cab entropy: 7.99281124378Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Apr2006_xact_x64[1].cab entropy: 7.9963671694Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EE93F.tmp\Apr2006_xact_x64.cab entropy: 7.9963671694Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E364B.tmp\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2007_d3dx10_34_x86[1].cab entropy: 7.9989902264Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E3C17.tmp\Jun2007_d3dx10_34_x86.cab entropy: 7.9989902264Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab entropy: 7.9989902264Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2007_d3dx9_35_x86[1].cab entropy: 7.9991869164Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E40DA.tmp\Aug2007_d3dx9_35_x86.cab entropy: 7.9991869164Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x86.cab entropy: 7.9991869164Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2007_d3dx10_35_x86[1].cab entropy: 7.9986813742Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E4649.tmp\Aug2007_d3dx10_35_x86.cab entropy: 7.9986813742Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x64.cab entropy: 7.9963671694Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2006_xact_x86[1].cab entropy: 7.99289442832Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EED08.tmp\Jun2006_xact_x86.cab entropy: 7.99289442832Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x86.cab entropy: 7.99289442832Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2006_xact_x64[1].cab entropy: 7.9960175906Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EF092.tmp\Jun2006_xact_x64.cab entropy: 7.9960175906Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x64.cab entropy: 7.9960175906Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2006_xact_x86[1].cab entropy: 7.99387234818Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EF4B9.tmp\Aug2006_xact_x86.cab entropy: 7.99387234818Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x86.cab entropy: 7.99387234818Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x86.cab entropy: 7.9986813742Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Nov2007_d3dx9_36_x86[1].cab entropy: 7.99907865291Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E4B3A.tmp\Nov2007_d3dx9_36_x86.cab entropy: 7.99907865291Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx9_36_x86.cab entropy: 7.99907865291Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Nov2007_d3dx10_36_x86[1].cab entropy: 7.99885807363Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E50C8.tmp\Nov2007_d3dx10_36_x86.cab entropy: 7.99885807363Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab entropy: 7.99885807363Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Mar2008_d3dx9_37_x86[1].cab entropy: 7.99972380205Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E558B.tmp\Mar2008_d3dx9_37_x86.cab entropy: 7.99972380205Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx9_37_x86.cab entropy: 7.99972380205Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2006_xact_x64[1].cab entropy: 7.99568599131Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EF8A1.tmp\Aug2006_xact_x64.cab entropy: 7.99568599131Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x64.cab entropy: 7.99568599131Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Oct2006_d3dx9_31_x64[1].cab entropy: 7.99968945572Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6EFC6A.tmp\Oct2006_d3dx9_31_x64.cab entropy: 7.99968945572Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x64.cab entropy: 7.99968945572Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Oct2006_xact_x86[1].cab entropy: 7.99419790986Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F0207.tmp\Oct2006_xact_x86.cab entropy: 7.99419790986Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x86.cab entropy: 7.99419790986Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Oct2006_xact_x64[1].cab entropy: 7.99644077128Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F05B1.tmp\Oct2006_xact_x64.cab entropy: 7.99644077128Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x64.cab entropy: 7.99644077128Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Dec2006_d3dx9_32_x64[1].cab entropy: 7.99975750886Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F0979.tmp\Dec2006_d3dx9_32_x64.cab entropy: 7.99975750886Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x64.cab entropy: 7.99975750886Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_xact_x86[1].cab entropy: 7.9939423459Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F0ED8.tmp\Dec2006_xact_x86.cab entropy: 7.9939423459Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x86.cab entropy: 7.9939423459Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2006_xact_x64[1].cab entropy: 7.99660647787Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F12C0.tmp\Dec2006_xact_x64.cab entropy: 7.99660647787Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x64.cab entropy: 7.99660647787Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Mar2008_d3dx10_37_x86[1].cab entropy: 7.99894945695Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Feb2007_xact_x86[1].cab entropy: 7.99397256556Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E5B38.tmp\Mar2008_d3dx10_37_x86.cab entropy: 7.99894945695Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F1699.tmp\Feb2007_xact_x86.cab entropy: 7.99397256556Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab entropy: 7.99894945695Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x86.cab entropy: 7.99397256556Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2008_d3dx9_38_x86[1].cab entropy: 7.99972642235Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Feb2007_xact_x64[1].cab entropy: 7.99592167011Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E601A.tmp\Jun2008_d3dx9_38_x86.cab entropy: 7.99972642235Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F1A42.tmp\Feb2007_xact_x64.cab entropy: 7.99592167011Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx9_38_x86.cab entropy: 7.99972642235Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x64.cab entropy: 7.99592167011Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2008_d3dx10_38_x86[1].cab entropy: 7.99898013077Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Apr2007_d3dx9_33_x64[1].cab entropy: 7.99980407083Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6569.tmp\Jun2008_d3dx10_38_x86.cab entropy: 7.99898013077Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6F1E4A.tmp\Apr2007_d3dx9_33_x64.cab entropy: 7.99980407083Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx10_38_x86.cab entropy: 7.99898013077Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x64.cab entropy: 7.99980407083Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2008_d3dx9_39_x86[1].cab entropy: 7.9996829971Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\Logs\DirectX.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile deleted: C:\Windows\SysWOW64\directx\websetup\SETA517.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE680F10_2_6CBE680F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBF1DD610_2_6CBF1DD6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE036210_2_6CBE0362
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE0CB310_2_6CBE0CB3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDD86D10_2_6CBDD86D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE2D3610_2_6CBE2D36
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDEA8710_2_6CBDEA87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBED20010_2_6CBED200
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBEFF6D10_2_6CBEFF6D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: String function: 6CBDB0F6 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: String function: 6CBD9BC1 appears 324 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: String function: 6CBED1A0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: String function: 6CBD9A40 appears 211 times
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: dxwsetup.exe.8.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeSection loaded: advpack.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: advpack.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spinf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spfileq.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: inseng.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ieadvpack.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: msvcp140_2.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: xinput1_3.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\Palworld.exeSection loaded: wintypes.dllJump to behavior
Source: classification engineClassification label: mal48.rans.winZIP@6/252@0/0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBD9BC1 __wstrtime,__wstrtime,_strrchr,FormatMessageA,LocalFree,GetLastError,10_2_6CBD9BC1
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeCode function: 8_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,8_2_010018B5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDE634 GetDiskFreeSpaceA,GetLastError,GetModuleHandleA,GetLastError,GetProcAddress,GetLastError,GetLastError,10_2_6CBDE634
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBEA2F6 CreateEventA,CoInitialize,CoCreateInstance,10_2_6CBEA2F6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\dxupdate[1].cabJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP32 DLL Mutex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXWSETUP
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\Palworld\dxwebsetup.exe "C:\Users\user\Desktop\Palworld\dxwebsetup.exe"
Source: unknownProcess created: C:\Users\user\Desktop\Palworld\dxwebsetup.exe "C:\Users\user\Desktop\Palworld\dxwebsetup.exe"
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Source: unknownProcess created: C:\Users\user\Desktop\Palworld\Palworld.exe "C:\Users\user\Desktop\Palworld\Palworld.exe"
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E449686-C509-11CF-AAFA-00AA00B6015C}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow found: window name: SysTabControl32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: DSETUP.pdb source: SETA517.tmp.10.dr
Source: Binary string: DSETUP.pdb0 source: SETA517.tmp.10.dr
Source: Binary string: wextract.pdb source: dxwebsetup.exe
Source: Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: Palworld.exe
Source: Binary string: dxwsetup.pdb source: dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873601596.0000000000971000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: wextract.pdbU source: dxwebsetup.exe
Source: Binary string: dxupdate.pdb source: dxwsetup.exe, dxwsetup.exe, 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDB4D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetLastError,GetLastError,GetLastError,10_2_6CBDB4D6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBED1E5 push ecx; ret 10_2_6CBED1F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETA537.tmpJump to dropped file
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETA517.tmpJump to dropped file
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETA537.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETA517.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE680F _strnlen,GetPrivateProfileStringA,10_2_6CBE680F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDC99A _realloc,GetPrivateProfileSectionNamesA,10_2_6CBDC99A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE0CB3 DirectXUpdateGetSetupInformation,GetModuleFileNameA,GetLastError,_strnlen,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,10_2_6CBE0CB3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDC01B _memset,GetPrivateProfileStringA,10_2_6CBDC01B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDF070 GetPrivateProfileIntA,_strnlen,CharLowerA,_strnlen,_strnlen,_strnlen,CharLowerA,_strnlen,_strnlen,_strnlen,_strnlen,10_2_6CBDF070
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE097D _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,_strrchr,GetPrivateProfileStringA,GetVersionExA,GetLastError,10_2_6CBE097D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDEA87 GetSystemDirectoryA,GetLastError,GetPrivateProfileStringA,lstrcmpA,lstrcmpA,_strnlen,lstrcmpA,lstrcmpA,10_2_6CBDEA87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDD792 GetPrivateProfileStringA,10_2_6CBDD792
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SETA537.tmpJump to dropped file
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SETA517.tmpJump to dropped file
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeEvaded block: after key decisiongraph_10-14060
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_10-13744
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_10-13017
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_8-239
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeCode function: 8_2_01001C7F lstrcpy,lstrcpy,lstrcat,lstrcat,FindFirstFileA,lstrcpy,lstrcmp,lstrcmp,lstrcat,lstrcat,FindNextFileA,FindClose,RemoveDirectoryA,8_2_01001C7F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDA3EB FindFirstFileA,FindClose,10_2_6CBDA3EB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBE1473 WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_memset,FindFirstFileA,FindClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,10_2_6CBE1473
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDD86D GetWindowsDirectoryA,GetLastError,_strrchr,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,10_2_6CBDD86D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDE7AF lstrcmpA,_memset,GetSystemDirectoryA,GetLastError,StringFromGUID2,WideCharToMultiByte,GetLastError,FindFirstFileA,FindNextFileA,FindClose,10_2_6CBDE7AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDFB07 _memset,_memset,GetWindowsDirectoryA,GetLastError,_memset,FindFirstFileA,lstrcmpA,lstrcmpA,GetFileAttributesA,GetLastError,FindNextFileA,FindClose,10_2_6CBDFB07
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBF62CB __get_wpgmptr,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,10_2_6CBF62CB
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: dxwsetup.exe, 0000000A.00000003.1952407567.0000000001232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
Source: dxwsetup.exe, 0000000A.00000003.1952407567.0000000001232000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.1966217841.000000000123D000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000002.2965092882.000000000123D000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.1952407567.0000000001285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAPI call chain: ExitProcess graph end nodegraph_10-13018
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBD98CF GetWindowsDirectoryA,OutputDebugStringA,CreateDirectoryA,GetLastError,__wstrtime,__wstrtime,10_2_6CBD98CF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBDB4D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetLastError,GetLastError,GetLastError,10_2_6CBDB4D6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBF5A16 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,10_2_6CBF5A16
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBF56F8 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6CBF56F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBEAE6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_6CBEAE6A
Source: C:\Users\user\Desktop\Palworld\dxwebsetup.exeCode function: 8_2_0100168B GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,8_2_0100168B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: GetLocaleInfoA,10_2_6CBF6092
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBEACA5 GetLocalTime,10_2_6CBEACA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeCode function: 10_2_6CBEA48C GetVersionExA,__heap_term,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__mtterm,__heap_term,___set_flsgetvalue,__freeptd,10_2_6CBEA48C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		5
Native API		1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		1
Access Token Manipulation		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
Process Injection		Security Account Manager21
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain Credentials15
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1383505 Sample: Palworld.zip Startdate: 30/01/2024 Architecture: WINDOWS Score: 48 35 Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil 2->35 6 dxwebsetup.exe 1 7 2->6         started        9 Palworld.exe 2->9         started        11 rundll32.exe 2->11         started        13 dxwebsetup.exe 2->13         started        process3 file4 19 C:\Users\user\AppData\Local\...\dxwsetup.exe, PE32 6->19 dropped 21 C:\Users\user\AppData\Local\...\dsetup32.dll, PE32 6->21 dropped 23 C:\Users\user\AppData\Local\...\dsetup.dll, PE32 6->23 dropped 15 dxwsetup.exe 400 6->15         started        process5 file6 25 C:\Windows\...\Aug2007_d3dx10_35_x64.cab, Microsoft 15->25 dropped 27 C:\Windows\...\Aug2007_d3dx9_35_x64.cab, Microsoft 15->27 dropped 29 C:\Windows\...\Jun2007_xact_x64.cab, Microsoft 15->29 dropped 31 221 other files (216 malicious) 15->31 dropped 33 Writes many files with high entropy 15->33 signatures7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe0%ReversingLabs
C:\Windows\SysWOW64\directx\websetup\SETA517.tmp0%ReversingLabs
C:\Windows\SysWOW64\directx\websetup\SETA537.tmp0%ReversingLabs
C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)0%ReversingLabs
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://download.mic0%Avira URL Cloudsafe
http://download.microsoft.co0%Avira URL Cloudsafe
http://www.betaplace.com.DInstalacn0%Avira URL Cloudsafe
http://www.BetaPlace.com.?0%Avira URL Cloudsafe
http://www.BetaPlace.comEContinuare0%Avira URL Cloudsafe
http://www.betaplace.com0%Avira URL Cloudsafe
http://www.betaplace.com.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://g.msn.com/1ewenus70/SettingsPrivacy&http://g.msn.com/1ewenus70/InstallerMUPAdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
    		high
    http://g.msn.com/1ewzhcn70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
      		high
      http://g.msn.com/1ewzhtw70/SettingsPrivacy&http://g.msn.com/1ewzhtw70/InstallerMU#Volitelndxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
        		high
        http://g.msn.com/1eweses70/SettingsPrivacy&http://g.msn.com/1eweses70/InstallerMU$DirectXdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
          		high
          http://g.msn.com/1ewruru70/SettingsPrivacy&http://g.msn.com/1ewruru70/InstallerMU&Valfriadxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
            		high
            http://g.msn.com/1ewdede70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
              		high
              http://g.msn.com/1EWISV70/NP01_InstallerBingdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873601596.0000000000971000.00000020.00000001.01000000.00000005.sdmpfalse
                		high
                http://g.msn.com/1ewenus70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                  		high
                  http://g.msn.com/1ewnlnl70/SettingsPrivacy&http://g.msn.com/1ewnlnl70/InstallerMU0Opcjonalnedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                    		high
                    http://g.msn.com/1eweses70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                      		high
                      http://g.msn.com/1ewplpl70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                        		high
                        http://g.msn.com/1ewptbr70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                          		high
                          http://g.msn.com/1ewsvse70/SettingsPrivacy&http://g.msn.com/1ewsvse70/InstallerMUdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                            		high
                            https://download.micdxwsetup.exe, 0000000A.00000003.2394688377.00000000053FD000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://g.msn.com/1ewsvse70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                              		high
                              http://www.BetaPlace.com.?dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://g.msn.com/1ewfrfr70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                		high
                                http://g.msn.com/1ewitit70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                  		high
                                  http://g.msn.com/1ewitit70/SettingsPrivacy&http://g.msn.com/1ewitit70/InstallerMUdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                    		high
                                    http://g.msn.com/1ewzhcn70/SettingsPrivacy&http://g.msn.com/1ewzhcn70/InstallerMU8Componentesdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                      		high
                                      http://g.msn.com/1ewjajp70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                        		high
                                        http://g.msn.com/1ewruru70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                          		high
                                          http://download.microsoft.codxwsetup.exe, 0000000A.00000003.2235122878.0000000005416000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.2180845208.0000000005412000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.betaplace.com.DInstalacndxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://g.msn.com/1ewcscz70/SettingsPrivacy&http://g.msn.com/1ewcscz70/InstallerMU%Optionaledxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                            		high
                                            http://g.msn.com/1ewkokr70/SettingsPrivacy&http://g.msn.com/1ewkokr70/InstallerMU(Optioneledxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                              		high
                                              http://www.betaplace.com.dxwebsetup.exe, 00000008.00000003.1872100487.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://g.msn.com/1ewfrfr70/SettingsPrivacy&http://g.msn.com/1ewfrfr70/InstallerMU&Componentidxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                		high
                                                http://www.betaplace.comdxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://g.msn.com/1ewnlnl70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                  		high
                                                  http://g.msn.com/1ewkokr70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                    		high
                                                    http://g.msn.com/1ewjajp70/SettingsPrivacy&http://g.msn.com/1ewjajp70/InstallerMUdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                      		high
                                                      http://www.BetaPlace.comEContinuaredxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://g.msn.com/1ewzhtw70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                        		high
                                                        http://g.msn.com/1ewplpl70/SettingsPrivacy&http://g.msn.com/1ewplpl70/InstallerMU5Componentesdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                          		high
                                                          http://g.msn.com/1ewdede70/SettingsPrivacy&http://g.msn.com/1ewdede70/InstallerMU#DirectXdxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                            		high
                                                            http://g.msn.com/1ewcscz70/SettingsTermUsedxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                              		high
                                                              http://g.msn.com/1ewptbr70/SettingsPrivacy&http://g.msn.com/1ewptbr70/InstallerMU-dxwebsetup.exe, 00000008.00000003.1872100487.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                		high
                                                                http://www.BetaPlace.comdxwsetup.exe, 0000000A.00000000.1873649255.0000000000994000.00000002.00000001.01000000.00000005.sdmp, dxwsetup.exe, 0000000A.00000003.1877224788.0000000001204000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  No contacted IP infos

                                                                  General Information

                                                                  Joe Sandbox version:39.0.0 Ruby
                                                                  Analysis ID:1383505
                                                                  Start date and time:2024-01-30 18:56:23 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 11s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:12
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:Palworld.zip
                                                                  Detection:MAL
                                                                  Classification:mal48.rans.winZIP@6/252@0/0
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 98%
                                                                  • Number of executed functions: 35
                                                                  • Number of non-executed functions: 96
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .zip

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.54.200.233
                                                                  • Excluded domains from analysis (whitelisted): dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, ocsp.digicert.com, slscr.update.microsoft.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, ctldl.windowsupdate.com, download.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                  • Report size getting too big, too many NtReadFile calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • Report size getting too big, too many NtWriteFile calls found.
                                                                  • VT rate limit hit for: Palworld.zip

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllPalworld.exeGet hashmaliciousUnknownBrowse
                                                                    5b1cxnTnnS.exeGet hashmaliciousUnknownBrowse
                                                                      JITStarter.exeGet hashmaliciousUnknownBrowse
                                                                        JITStarter.exeGet hashmaliciousUnknownBrowse
                                                                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllPalworld.exeGet hashmaliciousUnknownBrowse
                                                                            5b1cxnTnnS.exeGet hashmaliciousUnknownBrowse
                                                                              JITStarter.exeGet hashmaliciousUnknownBrowse
                                                                                JITStarter.exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2005_d3dx9_25_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1350562
                                                                                  Entropy (8bit):7.999714569554039
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                  MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                  SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                  SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                  SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2006_d3dx9_30_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1118429
                                                                                  Entropy (8bit):7.999050518080374
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                  MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                  SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                  SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                  SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136311
                                                                                  Entropy (8bit):7.992811243778454
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                  MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                  SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                  SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                  SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2007_d3dx10_33_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):699073
                                                                                  Entropy (8bit):7.998968028413629
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                  MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                  SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                  SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                  SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2007_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):154433
                                                                                  Entropy (8bit):7.994491966822324
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                  MD5:8922189C0A46D26B2C52C65515D87180
                                                                                  SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                  SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                  SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                  Malicious:true
                                                                                  Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Apr2007_xinput_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):56510
                                                                                  Entropy (8bit):7.973777529821975
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                  MD5:B362EC93463D8B6381A864D35D38C512
                                                                                  SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                  SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                  SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                  Malicious:false
                                                                                  Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):140443
                                                                                  Entropy (8bit):7.993872348182751
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                  MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                  SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                  SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                  SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2006_xinput_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49266
                                                                                  Entropy (8bit):7.9632460736333766
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                  MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                  SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                  SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                  SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                  Malicious:false
                                                                                  Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2007_d3dx10_35_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):800075
                                                                                  Entropy (8bit):7.9986813742013325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                  MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                  SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                  SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                  SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2008_d3dx10_39_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):852375
                                                                                  Entropy (8bit):7.998886184584254
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                  MD5:5380053AC4C344BD38604022476B1C1D
                                                                                  SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                  SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                  SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Aug2009_d3dcsx_42_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):3322948
                                                                                  Entropy (8bit):7.9992960947448655
                                                                                  Encrypted:true
                                                                                  SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                  MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                  SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                  SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                  SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                  Malicious:true
                                                                                  Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Feb2006_d3dx9_29_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1366004
                                                                                  Entropy (8bit):7.99967777757325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                  MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                  SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                  SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                  SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Feb2007_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):151191
                                                                                  Entropy (8bit):7.993972565562067
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                  MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                  SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                  SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                  SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2005_d3dx9_26_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1068133
                                                                                  Entropy (8bit):7.999040217820951
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                  MD5:029359EBCA4BA5945282E0C021B26102
                                                                                  SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                  SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                  SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2007_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):156117
                                                                                  Entropy (8bit):7.994909703055095
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                  MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                  SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                  SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                  SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Jun2010_d3dx11_43_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):112653
                                                                                  Entropy (8bit):7.991810619702373
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                  MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                  SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                  SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                  SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                  Malicious:true
                                                                                  Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Mar2008_d3dx10_37_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):821468
                                                                                  Entropy (8bit):7.9989494569533655
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                  MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                  SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                  SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                  SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Mar2009_d3dx10_41_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1043953
                                                                                  Entropy (8bit):7.998757160305283
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                  MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                  SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                  SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                  SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Oct2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):185569
                                                                                  Entropy (8bit):7.996440771278114
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                  MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                  SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                  SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                  SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Apr2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):182341
                                                                                  Entropy (8bit):7.996367169399176
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                  MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                  SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                  SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                  SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                  Malicious:true
                                                                                  Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Apr2007_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):198974
                                                                                  Entropy (8bit):7.996718266567073
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                  MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                  SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                  SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                  SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Apr2007_xinput_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100025
                                                                                  Entropy (8bit):7.988437274786544
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                  MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                  SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                  SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                  SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2005_d3dx9_27_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1080852
                                                                                  Entropy (8bit):7.999138982152864
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                  MD5:3E91448A7481A78318DCE123790EE31A
                                                                                  SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                  SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                  SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):186111
                                                                                  Entropy (8bit):7.995685991314543
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                  MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                  SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                  SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                  SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                  Malicious:true
                                                                                  Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2006_xinput_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90350
                                                                                  Entropy (8bit):7.985841057262195
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                  MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                  SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                  SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                  SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2009_D3DCompiler_42_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):903806
                                                                                  Entropy (8bit):7.998441664012848
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                  MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                  SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                  SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                  SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Aug2009_d3dx9_42_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):731664
                                                                                  Entropy (8bit):7.999475174279291
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                  MD5:9BC8213933598D050827D20A4573486C
                                                                                  SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                  SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                  SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Dec2006_d3dx9_32_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1574362
                                                                                  Entropy (8bit):7.999757508861621
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                  MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                  SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                  SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                  SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Feb2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):135617
                                                                                  Entropy (8bit):7.992141777548868
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                  MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                  SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                  SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                  SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Feb2007_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):197883
                                                                                  Entropy (8bit):7.995921670109717
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                  MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                  SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                  SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                  SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                  Malicious:true
                                                                                  Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2005_d3dx9_26_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1339234
                                                                                  Entropy (8bit):7.999619123900207
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                  MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                  SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                  SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                  SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                  Malicious:true
                                                                                  Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2007_d3dx9_34_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610494
                                                                                  Entropy (8bit):7.999066428256981
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                  MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                  SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                  SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                  SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2007_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200354
                                                                                  Entropy (8bit):7.996324633982409
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                  MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                  SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                  SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                  SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2008_d3dx9_38_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467086
                                                                                  Entropy (8bit):7.999726422350297
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                  MD5:E2FB2E37C342983493C776BD81943978
                                                                                  SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                  SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                  SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Jun2010_d3dcsx_43_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):765396
                                                                                  Entropy (8bit):7.996955154936438
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                  MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                  SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                  SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                  SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Nov2007_d3dx9_36_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1712568
                                                                                  Entropy (8bit):7.999078652914364
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                  MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                  SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                  SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                  SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Nov2008_d3dx9_40_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1554004
                                                                                  Entropy (8bit):7.999645278979612
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                  MD5:75556D89FDD442967A23993C9111D997
                                                                                  SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                  SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                  SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Oct2006_d3dx9_31_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1130449
                                                                                  Entropy (8bit):7.9990817245216945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                  MD5:F778928C9EB950EF493857F76A5811AD
                                                                                  SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                  SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                  SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\dxupdate[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100360
                                                                                  Entropy (8bit):7.9900557178400815
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                  MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                  SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                  SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                  SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                  Malicious:true
                                                                                  Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2005_d3dx9_25_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082170
                                                                                  Entropy (8bit):7.999075135168916
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                  MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                  SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                  SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                  SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2006_d3dx9_30_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1401038
                                                                                  Entropy (8bit):7.999678252363499
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                  MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                  SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                  SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                  SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2006_xinput_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90309
                                                                                  Entropy (8bit):7.986243949537019
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                  MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                  SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                  SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                  SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2007_d3dx10_33_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701820
                                                                                  Entropy (8bit):7.999560976493214
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                  MD5:906318E8C444DAAAEA30550D5024F235
                                                                                  SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                  SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                  SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Apr2007_d3dx9_33_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1609247
                                                                                  Entropy (8bit):7.999284261824255
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                  MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                  SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                  SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                  SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2007_d3dx10_35_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 846326 bytes, 7 files, at 0x44 +A "d3dx10_35_x64.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 10170, number 1, extra bytes 20 in head, 79 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):855494
                                                                                  Entropy (8bit):7.999465744344346
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:zjF8w0LrsXJsv8dTWuiF8xcg+6FPwZuTCsIJRTrDUrcLUWKUlmeLbPzifDrr2VNt:t5YidTlG8htw6CRXLUW5VDSMKCZH1
                                                                                  MD5:8F715D741B7401547A263FD4AF02E7BA
                                                                                  SHA1:39C031174008A0E7BD603A5670F578C0CC6443DD
                                                                                  SHA-256:C97275F60E2F25732B3B264B8BDF9CFDAA39D6E5B189C08FAB5CD7A04FAE9BF7
                                                                                  SHA-512:27CDB534361C1F6205585E1BAABD83B03F6715D29AFB61351F660BED1CCD1EF035C6541AD7E4C551BFDD2AA8FE77A903D23EB27618ED369C37A369D373467C8C
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...O....).........6T. .d3dx10_35_x64.cat.pM...).....6. .d3dcompiler_35.dll.h...2w.....6. .d3dx10_35.dll.h....8&....6.. .infinst.exe./....J'....6G. .aug2007_d3dx10_35_x64.inf.....1M'....6G. .d3dx10_35_x64.inf......O'....6G. .d3dx10_35_x64_xp.inf..i......[.....@...R.P...O...t...(.'...#.J.%..]L!..t.R]Q.$!*!\"$../.I$......4".w...e.....K.Y.(...v.NP...l..0...F.j..@v0(m..A...T1HO.....@.....{..................g.n./.. ........Q.\....'.D:.KQ.......... .. .N.)..PPD.w j..'.D....b.....J........w.b...6...].C..0..A.....P..D.AU.....+.t.l@\..H.....'..H.,A....I.&.A.x!...m....?^AL...o...K.......e...B.*|......=.....@o........p_...d.......!c......t....T.c.R...Y.\.6.?]7.5..3HD............p....B./.(..vi......<......I}<...x.o.7e...?... .......#...>..`i.....qR[./.........~......0s....;...*.?(.S.jH#.C.ksZ.6.+.&.._.....>O..S.o.......B....<.........l..>.N.]....=7..RC.@6.K.....Pn.%........T.c..lh.T..f.......l .g:.....w...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2007_d3dx9_35_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1711360
                                                                                  Entropy (8bit):7.999186916403002
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                  MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                  SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                  SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                  SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2008_d3dx9_39_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467880
                                                                                  Entropy (8bit):7.999682997096517
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                  MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                  SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                  SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                  SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Aug2009_d3dx11_42_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):108252
                                                                                  Entropy (8bit):7.991332626956763
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                  MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                  SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                  SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                  SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2005_d3dx9_28_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1361184
                                                                                  Entropy (8bit):7.9996739284035945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                  MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                  SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                  SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                  SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2006_d3dx10_00_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):216015
                                                                                  Entropy (8bit):7.996946294916653
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                  MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                  SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                  SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                  SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Dec2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195683
                                                                                  Entropy (8bit):7.996606477865772
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2Eq:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bi
                                                                                  MD5:F34FFBDB67DCF84092C9D321E3343D3F
                                                                                  SHA1:52FAFA930C3464E070E1E4692D4600B12678E9D7
                                                                                  SHA-256:BDAF9C41F83E65DE2B73AACA2002541D48C65F551CFA0578B3259D3BFCA54EAD
                                                                                  SHA-512:A78D32EE71F5B4214E9B8B95FB8BDD4B629D34529FAD7A494219175CE5CC129A3F5C500D426AFE0DE6A680977FB86ABF0B77BE353D8D19D6ED1A11C421C6E757
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Feb2005_d3dx9_24_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1250707
                                                                                  Entropy (8bit):7.999567218170613
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                  MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                  SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                  SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                  SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Feb2006_d3dx9_29_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1087928
                                                                                  Entropy (8bit):7.99922866964108
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                  MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                  SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                  SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                  SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):183993
                                                                                  Entropy (8bit):7.996017590596314
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                  MD5:D404CCED69740A65A3051766A37D0885
                                                                                  SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                  SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                  SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2007_d3dx10_34_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):702252
                                                                                  Entropy (8bit):7.999542751209748
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                  MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                  SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                  SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                  SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Jun2010_d3dx10_43_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200491
                                                                                  Entropy (8bit):7.9966634458730566
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                  MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                  SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                  SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                  SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                  Malicious:true
                                                                                  Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Mar2008_d3dx9_37_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1446490
                                                                                  Entropy (8bit):7.99972380205062
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                  MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                  SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                  SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                  SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Mar2009_d3dx9_41_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1615654
                                                                                  Entropy (8bit):7.999772423092358
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                  MD5:901567428D8C82756D7BF5A406441BD7
                                                                                  SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                  SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                  SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Oct2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):141225
                                                                                  Entropy (8bit):7.994197909856769
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                  MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                  SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                  SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                  SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Apr2006_xinput_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49218
                                                                                  Entropy (8bit):7.962835058038329
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                  MD5:E207FB904E641246F3F7234DB74121FC
                                                                                  SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                  SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                  SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                  Malicious:false
                                                                                  Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Apr2007_d3dx9_33_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610566
                                                                                  Entropy (8bit):7.999804070832858
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                  MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                  SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                  SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                  SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2005_d3dx9_27_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1353750
                                                                                  Entropy (8bit):7.999671999388792
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                  MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                  SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                  SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                  SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                  Malicious:true
                                                                                  Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2007_d3dx9_35_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1794200 bytes, 6 files, at 0x44 +A "d3dx9_35_x64.cat" +A "d3dx9_35.dll", flags 0x4, ID 8299, number 1, extra bytes 20 in head, 158 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1803368
                                                                                  Entropy (8bit):7.9998161056633865
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:PMXSYnySbH+yjdYmHPvYn1ZaRSJwF3IwnWkKxpnQfp9sDEYuNHtMJ11yD6TgkRW1:0XS+q4YoIyIJwNImAQHNNMncD6MedsR
                                                                                  MD5:DDFEF236E7D70471AAA1741A8ABFB735
                                                                                  SHA1:5F7ACDE3116A6D4363410D984B9C8919674EC9C9
                                                                                  SHA-256:28B6FF092DE67717C47649C87E7114C34325EDDA199CE2943403C4F3F4C3E0B2
                                                                                  SHA-512:00990F7E6F266C67385813B0BA399A2A2C970DCFAAEB7FAB183E2EC0CC50613CB0AD57200BCDC731900D8F7E609C95E8FF9CDDAA52BCE2CCEDBCF4E9F74008CE
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....`......D...............k ...........`...#...................(.........6P. .d3dx9_35_x64.cat.hiM..(.....6. .d3dx9_35.dll.h.....M....6.. .infinst.exe.,...h.N....6C. .aug2007_d3dx9_35_x64.inf.......N....6C. .d3dx9_35_x64.inf...../.N....6C. .d3dx9_35_x64_xp.inf.`^Q.b...[...V .buM....5!.f...O.....v.0]..p..n....A.#..I)]......1H..].5.eJT#K..c33W3.x..}.....5.w....1.v%2....:.izc.ee...ekW{;d.j.....gW....U3./.g.03..1.,i.9...KH.x.r.vN."....K:......X4......|..@..../...........X...{.z....{o}..u.&..........m....L.o5...m>19.....& b$G..&.Q.y& .'.F..l.!...P..H'1....u.....<...W...U.ei.[1X.P/..*To0.'.U.5e.(#.`.DV.M..Lpf....9U.7u}.s.j4v..d...O..#P.."l...,a@w%..K.K'.V.@u...7h.CF.d...L.QI.$M.:&HR....:."F.G...M.$&.#...h..].bF...=R=....O}....p.Xf.2Lp.z...]....HSz.1z.h%.t.4.2u-_.T..c$...p....n_....n.b..R...*rXT#.Y.ZX.X."`..Id)%f..S.I4m.%,t@.GN..s\.U._.K.0...y.......k..i.3...zgtL@...G..%I.I...#.|^V.?.IJ>..)..~y.Y...L....A.l.j.i.h...'.3X...*..../`.N...s.,.k...J?.._.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Aug2009_d3dx10_42_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195339
                                                                                  Entropy (8bit):7.996178589789764
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                  MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                  SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                  SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                  SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                  Malicious:true
                                                                                  Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2005_d3dx9_28_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082664
                                                                                  Entropy (8bit):7.999121865147412
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                  MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                  SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                  SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                  SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_d3dx10_00_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):194952
                                                                                  Entropy (8bit):7.9966042762544145
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                  MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                  SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                  SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                  SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_d3dx9_32_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1577608
                                                                                  Entropy (8bit):7.999092247669469
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                  MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                  SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                  SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                  SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Dec2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):148831
                                                                                  Entropy (8bit):7.993942345904899
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                  MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                  SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                  SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                  SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Feb2005_d3dx9_24_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1016433
                                                                                  Entropy (8bit):7.998972724711677
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                  MD5:7029866BA46EC477449510BEEE74F473
                                                                                  SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                  SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                  SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Feb2006_xact_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):181567
                                                                                  Entropy (8bit):7.99567918868168
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                  MD5:582102046D298E7B439C819895F6061D
                                                                                  SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                  SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                  SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2006_xact_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136903
                                                                                  Entropy (8bit):7.992894428315885
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                  MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                  SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                  SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                  SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2007_d3dx10_34_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701680
                                                                                  Entropy (8bit):7.9989902264021255
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                  MD5:19383CBADA5DF3662303271CC9882314
                                                                                  SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                  SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                  SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                  Malicious:true
                                                                                  Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2007_d3dx9_34_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1611006
                                                                                  Entropy (8bit):7.999795394912666
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                  MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                  SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                  SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                  SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2008_d3dx10_38_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):853127
                                                                                  Entropy (8bit):7.998980130768887
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                  MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                  SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                  SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                  SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2010_D3DCompiler_43_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):934679
                                                                                  Entropy (8bit):7.998315243107519
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                  MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                  SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                  SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                  SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Jun2010_d3dx9_43_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):771244
                                                                                  Entropy (8bit):7.999380380890997
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                  MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                  SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                  SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                  SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Nov2007_d3dx10_36_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):807092
                                                                                  Entropy (8bit):7.998858073625772
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                  MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                  SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                  SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                  SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Nov2008_d3dx10_40_x86[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):968629
                                                                                  Entropy (8bit):7.999011847061652
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                  MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                  SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                  SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                  SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Oct2006_d3dx9_31_x64[1].cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1416110
                                                                                  Entropy (8bit):7.999689455720137
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                  MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                  SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                  SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                  SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\DXIC2F0.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):57739
                                                                                  Entropy (8bit):5.6901788814132646
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:eNIkdgBl0DBU0qwUqB7otN4PTHhy4m1Io/sF6UcmI2rIEoguD0dpY4rI8dgXl0dl:epECjtutVj072Xwt7O49vQzztSZs5KLz
                                                                                  MD5:2C4D9E4773084F33092CED15678A2C46
                                                                                  SHA1:BAD603D543470157EFFD4876A684B9CFD5075524
                                                                                  SHA-256:ED710D035CCAAB0914810BECF2F5DB2816DBA3A351F3666A38A903C80C16997A
                                                                                  SHA-512:D2E34CAC195CFEDE8BC64BDC92721C574963FF522618EDA4D7172F664AEB4C8675FD3D4F3658391EE5EAA398BCD2CE5D8F80DEECF51AF176F5C4BB2D2695E04E
                                                                                  Malicious:false
                                                                                  Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1974,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95576
                                                                                  Entropy (8bit):6.500059286855779
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                  MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                  SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                  SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                  SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Palworld.exe, Detection: malicious, Browse
                                                                                  • Filename: 5b1cxnTnnS.exe, Detection: malicious, Browse
                                                                                  • Filename: JITStarter.exe, Detection: malicious, Browse
                                                                                  • Filename: JITStarter.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1566040
                                                                                  Entropy (8bit):6.387345800194587
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                  MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                  SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                  SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                  SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Palworld.exe, Detection: malicious, Browse
                                                                                  • Filename: 5b1cxnTnnS.exe, Detection: malicious, Browse
                                                                                  • Filename: JITStarter.exe, Detection: malicious, Browse
                                                                                  • Filename: JITStarter.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):66865
                                                                                  Entropy (8bit):5.567626982635727
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:Wn+OeDyG6lG9CVGQM6UP8XUUkw8KlNxLkPkjdARflPp0VZRTBM9oZPFASJu71N1F:V
                                                                                  MD5:B36D3F105D18E55534AD605CBF061A92
                                                                                  SHA1:788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79
                                                                                  SHA-256:C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
                                                                                  SHA-512:35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93CAF5082C987F0C63F9D953ED7CB8D9271E03B62
                                                                                  Malicious:false
                                                                                  Preview:..[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DXUpdate_Feb2005_x86]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=990,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Feb2005_x64]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1220,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x64.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x86]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1055,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Apr2005_d3dx9_25_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x64]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1317

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):177152
                                                                                  Entropy (8bit):6.549767948531931
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:KU6LKKnw8i/9S7BLGKm/nuFV3uNgosUBxr+2y97CqGIpHtWMeJnQRLj+bTHyKaY:Iw8aIMrfuFVeNgosUBxra4rIZsqq
                                                                                  MD5:7ED554B08E5B69578F9DE012822C39C9
                                                                                  SHA1:036D04513E134786B4758DEF5AFF83D19BF50C6E
                                                                                  SHA-256:FB4F297E295C802B1377C6684734B7249D55743DFB7C14807BEF59A1B5DB63A2
                                                                                  SHA-512:7AF5F9C4A3AD5C120BCDD681B958808ADA4D885D21AEB4A009A36A674AD3ECE9B51837212A982DB6142A6B5580E5B68D46971B802456701391CE40785AE6EBD9
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M.CM...M...MJ..M...M...M...M...M...M...M..KM...M..zM...M..{M...M..JM...M..MM...MRich...M................PE..L......M...........!.....j...n............................................................@.........................pw..V....j..........8.......................X...p...................................@...............8............................text....h.......j.................. ..`.data....:...........n..............@....rsrc...8...........................@..@.reloc..0&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.inf

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):12848
                                                                                  Entropy (8bit):5.071095411173453
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:eXTiDxtV0xxmBxbD6Ys7s6xHOJYwYdDxAp8xXZyUxIJM:eXiM
                                                                                  MD5:E6A74342F328AFA559D5B0544E113571
                                                                                  SHA1:A08B053DFD061391942D359C70F9DD406A968B7D
                                                                                  SHA-256:93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA
                                                                                  SHA-512:1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD
                                                                                  Malicious:false
                                                                                  Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"....[MDXDLLs]..Microsoft.DirectX.AudioVideoPlayback.dll..Microsoft.DirectX.Diagnostics.dll..Microsoft.DirectX.Direct3D.dll..Microsoft.DirectX.Direct3DX.dll..Microsoft.DirectX.DirectDraw.dll..Microsoft.DirectX.DirectInput.dll..Microsoft.DirectX.DirectPlay.dll..Microsoft.DirectX.DirectSound.dll..Microsoft.DirectX.dll......; ---- Windows 98 ----..[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_d3dx9_24_x86.cab]..NumberOfFiles=4..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..d3dx9_24_w9x.inf....[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_MDX_x86.MSI]..NumberOfFiles=1..Size=1788 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..Dependencies=feb2005_d3dx9_24_x86.cab..Feb2005_MDX_x86.MSI......; ---- Windows ME ----..[4.09.00.0904.00-4.09.00.0904.00_WinME_Feb2005_d3dx9_24_x86.cab]..N

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):57739
                                                                                  Entropy (8bit):5.6901788814132646
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:eNIkdgBl0DBU0qwUqB7otN4PTHhy4m1Io/sF6UcmI2rIEoguD0dpY4rI8dgXl0dl:epECjtutVj072Xwt7O49vQzztSZs5KLz
                                                                                  MD5:2C4D9E4773084F33092CED15678A2C46
                                                                                  SHA1:BAD603D543470157EFFD4876A684B9CFD5075524
                                                                                  SHA-256:ED710D035CCAAB0914810BECF2F5DB2816DBA3A351F3666A38A903C80C16997A
                                                                                  SHA-512:D2E34CAC195CFEDE8BC64BDC92721C574963FF522618EDA4D7172F664AEB4C8675FD3D4F3658391EE5EAA398BCD2CE5D8F80DEECF51AF176F5C4BB2D2695E04E
                                                                                  Malicious:false
                                                                                  Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1974,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):527360
                                                                                  Entropy (8bit):6.071483982747115
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:diqLKVd9Aqq3Z/yKxAG2ur4IhUNJ4g3nO9hpRH0gQSpHt+akOC8BTDmsikzWX+us:DFAKJr4IWNJ4MOrpRBQS3kydI+xyS
                                                                                  MD5:AC3A5F7BE8CD13A863B50AB5FE00B71C
                                                                                  SHA1:EEE417CD92E263B84DD3B5DCC2B4B463FE6E84D9
                                                                                  SHA-256:8F5E89298E3DC2E22D47515900C37CCA4EE121C5BA06A6D962D40AD6E1A595DA
                                                                                  SHA-512:C8BBE791373DAD681F0AC9F5AB538119BDE685D4F901F5DB085C73163FC2E868972B2DE60E72CCD44F745F1FD88FCDE2E27F32302D8CBD3C1F43E6E657C79FBA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NQ.2.0ga.0ga.0ga-..a/0ga-..a.0ga-..a.0ga.H.a.0ga.0fa.0gaeF.a.0gaeF.a.0gaeF.a.0gaeF.a.0gaRich.0ga................PE..L......M..................... ...............................................P......._....@...... ..........................|........@..$....................0.......................................U..@............................................text............................... ..`.data....3..........................@....rsrc...$....@......................@..@.reloc.......0... ..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  File Type:Windows setup INFormation
                                                                                  Category:dropped
                                                                                  Size (bytes):477
                                                                                  Entropy (8bit):5.237059564403252
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:AEAv+BIHfXhPJycXlnMlr4TFagtVFIglFdW8HEwF2T2GHEdqT2azM2GvjokVj2aE:BBIpPJhXlnMYFz2gkDvqtwqa9YS7r
                                                                                  MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
                                                                                  SHA1:4CCD8E038D73A5361D754C7598ED238FC040D16B
                                                                                  SHA-256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
                                                                                  SHA-512:5C805D78BAFFF06C36B5DF6286709DDF2D36808280F92E62DC4C285EDD9176195A764D5CF0BB000DA53CA8BBF66DDD61D852E4259E3113F6529E2D7BDBDD6E28
                                                                                  Malicious:false
                                                                                  Preview:[Version]..Signature="$CHICAGO$"..AdvancedINF=2.0..Provider = %MSFT%....[SourceDisksNames]..1 = %DiskName%,DXWSETUP.EXE,0....[SourceDisksFiles]..dsetup.dll=1..dsetup32.dll=1....[DestinationDirs]..DSetupDLL=11,directx\websetup....[DirectX_WinNT]..CopyFiles=DSetupDLL....[DirectX_Win9X]..CopyFiles=DSetupDLL....[CleanUp]..DelFiles=DSetupDLL....[DSetupDLL]..dsetup.dll,,,32..dsetup32.dll,,,32....[Strings]..MSFT = "Microsoft"..DiskName = "DXWSETUP"....

                                                                                  C:\Windows\Logs\DirectX.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):44129
                                                                                  Entropy (8bit):5.379412726463813
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:vO2TiQe8fGVSjiEyy/pYuF9c4/YCE1mS/SnnIXMiTVJ21wkxLChk63LBXuEt9KIZ:v5iQe8fGgGF
                                                                                  MD5:8A6E5C2D1C23D6AFAEC2E851AF6681E9
                                                                                  SHA1:DC19BC26B4FEC634639940BB3EDB9DAE0CC023D7
                                                                                  SHA-256:F7D5F52F08A6334EF986EF55E7256FE01AAFEA94AF6F9716EFABFE2921457F98
                                                                                  SHA-512:32EA76C96473A35439A5449D774D1FE44D30DF23CFDBEA74E6B989A6D4BBF1A309C7570238BB1A2E0668150CAE67B5AC4B06C81A258D3786A844ABBD58276B6A
                                                                                  Malicious:false
                                                                                  Preview:01/30/24 18:57:07: DXWSetup: ***** DXWSETUP *****..01/30/24 18:57:07: DXWSetup: WinMain()..01/30/24 18:57:07: DXWSetup: IsIA64(): not IA64...01/30/24 18:57:07: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup.dll..01/30/24 18:57:07: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup.dll..01/30/24 18:57:07: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup32.dll..01/30/24 18:57:07: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup32.dll..01/30/24 18:57:07: DXWSetup: GetDXVersion(): Unable to get RC string from registry...01/30/24 18:57:07: DXWSetup: DirectX Version: 4.09.00.0904.00..01/30/24 18:57:07: DXWSetup: Setup Version: 4.09.00.0904.00..01/30/24 18:57:07: DXWSetup: A newer version of DirectX have been installed already...01/30/24 18:57:13: DXWSetup: CDXWSetup::CDXWSetup()..01/30/24 18:57:13: DXWSetup: CDXWSetup::DownloadDXUpdate()..01/30/24 18:57:13: DXWSetup: On

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1350562
                                                                                  Entropy (8bit):7.999714569554039
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                  MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                  SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                  SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                  SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082170
                                                                                  Entropy (8bit):7.999075135168916
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                  MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                  SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                  SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                  SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1401038
                                                                                  Entropy (8bit):7.999678252363499
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                  MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                  SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                  SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                  SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1118429
                                                                                  Entropy (8bit):7.999050518080374
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                  MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                  SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                  SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                  SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):182341
                                                                                  Entropy (8bit):7.996367169399176
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                  MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                  SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                  SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                  SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                  Malicious:true
                                                                                  Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136311
                                                                                  Entropy (8bit):7.992811243778454
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                  MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                  SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                  SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                  SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90309
                                                                                  Entropy (8bit):7.986243949537019
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                  MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                  SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                  SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                  SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49218
                                                                                  Entropy (8bit):7.962835058038329
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                  MD5:E207FB904E641246F3F7234DB74121FC
                                                                                  SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                  SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                  SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                  Malicious:false
                                                                                  Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701820
                                                                                  Entropy (8bit):7.999560976493214
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                  MD5:906318E8C444DAAAEA30550D5024F235
                                                                                  SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                  SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                  SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):699073
                                                                                  Entropy (8bit):7.998968028413629
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                  MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                  SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                  SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                  SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610566
                                                                                  Entropy (8bit):7.999804070832858
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                  MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                  SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                  SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                  SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1609247
                                                                                  Entropy (8bit):7.999284261824255
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                  MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                  SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                  SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                  SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):198974
                                                                                  Entropy (8bit):7.996718266567073
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                  MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                  SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                  SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                  SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):154433
                                                                                  Entropy (8bit):7.994491966822324
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                  MD5:8922189C0A46D26B2C52C65515D87180
                                                                                  SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                  SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                  SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                  Malicious:true
                                                                                  Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100025
                                                                                  Entropy (8bit):7.988437274786544
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                  MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                  SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                  SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                  SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):56510
                                                                                  Entropy (8bit):7.973777529821975
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                  MD5:B362EC93463D8B6381A864D35D38C512
                                                                                  SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                  SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                  SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                  Malicious:false
                                                                                  Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1353750
                                                                                  Entropy (8bit):7.999671999388792
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                  MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                  SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                  SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                  SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                  Malicious:true
                                                                                  Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1080852
                                                                                  Entropy (8bit):7.999138982152864
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                  MD5:3E91448A7481A78318DCE123790EE31A
                                                                                  SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                  SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                  SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):186111
                                                                                  Entropy (8bit):7.995685991314543
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                  MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                  SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                  SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                  SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                  Malicious:true
                                                                                  Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):140443
                                                                                  Entropy (8bit):7.993872348182751
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                  MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                  SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                  SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                  SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90350
                                                                                  Entropy (8bit):7.985841057262195
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                  MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                  SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                  SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                  SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49266
                                                                                  Entropy (8bit):7.9632460736333766
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                  MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                  SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                  SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                  SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                  Malicious:false
                                                                                  Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 846326 bytes, 7 files, at 0x44 +A "d3dx10_35_x64.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 10170, number 1, extra bytes 20 in head, 79 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):855494
                                                                                  Entropy (8bit):7.999465744344346
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:zjF8w0LrsXJsv8dTWuiF8xcg+6FPwZuTCsIJRTrDUrcLUWKUlmeLbPzifDrr2VNt:t5YidTlG8htw6CRXLUW5VDSMKCZH1
                                                                                  MD5:8F715D741B7401547A263FD4AF02E7BA
                                                                                  SHA1:39C031174008A0E7BD603A5670F578C0CC6443DD
                                                                                  SHA-256:C97275F60E2F25732B3B264B8BDF9CFDAA39D6E5B189C08FAB5CD7A04FAE9BF7
                                                                                  SHA-512:27CDB534361C1F6205585E1BAABD83B03F6715D29AFB61351F660BED1CCD1EF035C6541AD7E4C551BFDD2AA8FE77A903D23EB27618ED369C37A369D373467C8C
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...O....).........6T. .d3dx10_35_x64.cat.pM...).....6. .d3dcompiler_35.dll.h...2w.....6. .d3dx10_35.dll.h....8&....6.. .infinst.exe./....J'....6G. .aug2007_d3dx10_35_x64.inf.....1M'....6G. .d3dx10_35_x64.inf......O'....6G. .d3dx10_35_x64_xp.inf..i......[.....@...R.P...O...t...(.'...#.J.%..]L!..t.R]Q.$!*!\"$../.I$......4".w...e.....K.Y.(...v.NP...l..0...F.j..@v0(m..A...T1HO.....@.....{..................g.n./.. ........Q.\....'.D:.KQ.......... .. .N.)..PPD.w j..'.D....b.....J........w.b...6...].C..0..A.....P..D.AU.....+.t.l@\..H.....'..H.,A....I.&.A.x!...m....?^AL...o...K.......e...B.*|......=.....@o........p_...d.......!c......t....T.c.R...Y.\.6.?]7.5..3HD............p....B./.(..vi......<......I}<...x.o.7e...?... .......#...>..`i.....qR[./.........~......0s....;...*.?(.S.jH#.C.ksZ.6.+.&.._.....>O..S.o.......B....<.........l..>.N.]....=7..RC.@6.K.....Pn.%........T.c..lh.T..f.......l .g:.....w...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):800075
                                                                                  Entropy (8bit):7.9986813742013325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                  MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                  SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                  SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                  SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1794200 bytes, 6 files, at 0x44 +A "d3dx9_35_x64.cat" +A "d3dx9_35.dll", flags 0x4, ID 8299, number 1, extra bytes 20 in head, 158 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1803368
                                                                                  Entropy (8bit):7.9998161056633865
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:PMXSYnySbH+yjdYmHPvYn1ZaRSJwF3IwnWkKxpnQfp9sDEYuNHtMJ11yD6TgkRW1:0XS+q4YoIyIJwNImAQHNNMncD6MedsR
                                                                                  MD5:DDFEF236E7D70471AAA1741A8ABFB735
                                                                                  SHA1:5F7ACDE3116A6D4363410D984B9C8919674EC9C9
                                                                                  SHA-256:28B6FF092DE67717C47649C87E7114C34325EDDA199CE2943403C4F3F4C3E0B2
                                                                                  SHA-512:00990F7E6F266C67385813B0BA399A2A2C970DCFAAEB7FAB183E2EC0CC50613CB0AD57200BCDC731900D8F7E609C95E8FF9CDDAA52BCE2CCEDBCF4E9F74008CE
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....`......D...............k ...........`...#...................(.........6P. .d3dx9_35_x64.cat.hiM..(.....6. .d3dx9_35.dll.h.....M....6.. .infinst.exe.,...h.N....6C. .aug2007_d3dx9_35_x64.inf.......N....6C. .d3dx9_35_x64.inf...../.N....6C. .d3dx9_35_x64_xp.inf.`^Q.b...[...V .buM....5!.f...O.....v.0]..p..n....A.#..I)]......1H..].5.eJT#K..c33W3.x..}.....5.w....1.v%2....:.izc.ee...ekW{;d.j.....gW....U3./.g.03..1.,i.9...KH.x.r.vN."....K:......X4......|..@..../...........X...{.z....{o}..u.&..........m....L.o5...m>19.....& b$G..&.Q.y& .'.F..l.!...P..H'1....u.....<...W...U.ei.[1X.P/..*To0.'.U.5e.(#.`.DV.M..Lpf....9U.7u}.s.j4v..d...O..#P.."l...,a@w%..K.K'.V.@u...7h.CF.d...L.QI.$M.:&HR....:."F.G...M.$&.#...h..].bF...=R=....O}....p.Xf.2Lp.z...]....HSz.1z.h%.t.4.2u-_.T..c$...p....n_....n.b..R...*rXT#.Y.ZX.X."`..Id)%f..S.I4m.%,t@.GN..s\.U._.K.0...y.......k..i.3...zgtL@...G..%I.I...#.|^V.?.IJ>..)..~y.Y...L....A.l.j.i.h...'.3X...*..../`.N...s.,.k...J?.._.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1711360
                                                                                  Entropy (8bit):7.999186916403002
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                  MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                  SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                  SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                  SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx10_39_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):852375
                                                                                  Entropy (8bit):7.998886184584254
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                  MD5:5380053AC4C344BD38604022476B1C1D
                                                                                  SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                  SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                  SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467880
                                                                                  Entropy (8bit):7.999682997096517
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                  MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                  SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                  SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                  SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2009_D3DCompiler_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):903806
                                                                                  Entropy (8bit):7.998441664012848
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                  MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                  SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                  SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                  SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dcsx_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):3322948
                                                                                  Entropy (8bit):7.9992960947448655
                                                                                  Encrypted:true
                                                                                  SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                  MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                  SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                  SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                  SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                  Malicious:true
                                                                                  Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx10_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195339
                                                                                  Entropy (8bit):7.996178589789764
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                  MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                  SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                  SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                  SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                  Malicious:true
                                                                                  Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx11_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):108252
                                                                                  Entropy (8bit):7.991332626956763
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                  MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                  SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                  SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                  SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                  C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx9_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):731664
                                                                                  Entropy (8bit):7.999475174279291
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                  MD5:9BC8213933598D050827D20A4573486C
                                                                                  SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                  SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                  SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1361184
                                                                                  Entropy (8bit):7.9996739284035945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                  MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                  SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                  SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                  SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082664
                                                                                  Entropy (8bit):7.999121865147412
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                  MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                  SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                  SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                  SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):216015
                                                                                  Entropy (8bit):7.996946294916653
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                  MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                  SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                  SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                  SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):194952
                                                                                  Entropy (8bit):7.9966042762544145
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                  MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                  SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                  SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                  SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1574362
                                                                                  Entropy (8bit):7.999757508861621
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                  MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                  SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                  SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                  SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1577608
                                                                                  Entropy (8bit):7.999092247669469
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                  MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                  SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                  SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                  SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195683
                                                                                  Entropy (8bit):7.996606477865772
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2Eq:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bi
                                                                                  MD5:F34FFBDB67DCF84092C9D321E3343D3F
                                                                                  SHA1:52FAFA930C3464E070E1E4692D4600B12678E9D7
                                                                                  SHA-256:BDAF9C41F83E65DE2B73AACA2002541D48C65F551CFA0578B3259D3BFCA54EAD
                                                                                  SHA-512:A78D32EE71F5B4214E9B8B95FB8BDD4B629D34529FAD7A494219175CE5CC129A3F5C500D426AFE0DE6A680977FB86ABF0B77BE353D8D19D6ED1A11C421C6E757
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                  C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):148831
                                                                                  Entropy (8bit):7.993942345904899
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                  MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                  SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                  SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                  SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1250707
                                                                                  Entropy (8bit):7.999567218170613
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                  MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                  SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                  SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                  SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1016433
                                                                                  Entropy (8bit):7.998972724711677
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                  MD5:7029866BA46EC477449510BEEE74F473
                                                                                  SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                  SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                  SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1366004
                                                                                  Entropy (8bit):7.99967777757325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                  MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                  SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                  SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                  SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1087928
                                                                                  Entropy (8bit):7.99922866964108
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                  MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                  SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                  SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                  SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):181567
                                                                                  Entropy (8bit):7.99567918868168
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                  MD5:582102046D298E7B439C819895F6061D
                                                                                  SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                  SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                  SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):135617
                                                                                  Entropy (8bit):7.992141777548868
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                  MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                  SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                  SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                  SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):197883
                                                                                  Entropy (8bit):7.995921670109717
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                  MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                  SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                  SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                  SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                  Malicious:true
                                                                                  Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                  C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):151191
                                                                                  Entropy (8bit):7.993972565562067
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                  MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                  SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                  SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                  SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1339234
                                                                                  Entropy (8bit):7.999619123900207
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                  MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                  SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                  SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                  SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                  Malicious:true
                                                                                  Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1068133
                                                                                  Entropy (8bit):7.999040217820951
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                  MD5:029359EBCA4BA5945282E0C021B26102
                                                                                  SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                  SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                  SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):183993
                                                                                  Entropy (8bit):7.996017590596314
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                  MD5:D404CCED69740A65A3051766A37D0885
                                                                                  SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                  SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                  SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136903
                                                                                  Entropy (8bit):7.992894428315885
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                  MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                  SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                  SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                  SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):702252
                                                                                  Entropy (8bit):7.999542751209748
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                  MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                  SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                  SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                  SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701680
                                                                                  Entropy (8bit):7.9989902264021255
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                  MD5:19383CBADA5DF3662303271CC9882314
                                                                                  SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                  SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                  SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                  Malicious:true
                                                                                  Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1611006
                                                                                  Entropy (8bit):7.999795394912666
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                  MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                  SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                  SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                  SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610494
                                                                                  Entropy (8bit):7.999066428256981
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                  MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                  SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                  SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                  SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200354
                                                                                  Entropy (8bit):7.996324633982409
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                  MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                  SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                  SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                  SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):156117
                                                                                  Entropy (8bit):7.994909703055095
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                  MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                  SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                  SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                  SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx10_38_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):853127
                                                                                  Entropy (8bit):7.998980130768887
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                  MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                  SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                  SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                  SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx9_38_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467086
                                                                                  Entropy (8bit):7.999726422350297
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                  MD5:E2FB2E37C342983493C776BD81943978
                                                                                  SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                  SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                  SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2010_D3DCompiler_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):934679
                                                                                  Entropy (8bit):7.998315243107519
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                  MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                  SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                  SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                  SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dcsx_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):765396
                                                                                  Entropy (8bit):7.996955154936438
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                  MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                  SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                  SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                  SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx10_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200491
                                                                                  Entropy (8bit):7.9966634458730566
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                  MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                  SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                  SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                  SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                  Malicious:true
                                                                                  Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx11_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):112653
                                                                                  Entropy (8bit):7.991810619702373
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                  MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                  SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                  SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                  SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                  Malicious:true
                                                                                  Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx9_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):771244
                                                                                  Entropy (8bit):7.999380380890997
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                  MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                  SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                  SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                  SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                  C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):821468
                                                                                  Entropy (8bit):7.9989494569533655
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                  MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                  SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                  SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                  SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                  C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx9_37_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1446490
                                                                                  Entropy (8bit):7.99972380205062
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                  MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                  SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                  SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                  SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1043953
                                                                                  Entropy (8bit):7.998757160305283
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                  MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                  SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                  SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                  SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                  C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx9_41_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1615654
                                                                                  Entropy (8bit):7.999772423092358
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                  MD5:901567428D8C82756D7BF5A406441BD7
                                                                                  SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                  SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                  SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                  C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):807092
                                                                                  Entropy (8bit):7.998858073625772
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                  MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                  SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                  SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                  SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                  C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx9_36_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1712568
                                                                                  Entropy (8bit):7.999078652914364
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                  MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                  SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                  SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                  SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                  C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx10_40_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):968629
                                                                                  Entropy (8bit):7.999011847061652
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                  MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                  SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                  SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                  SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx9_40_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1554004
                                                                                  Entropy (8bit):7.999645278979612
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                  MD5:75556D89FDD442967A23993C9111D997
                                                                                  SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                  SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                  SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                  C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1416110
                                                                                  Entropy (8bit):7.999689455720137
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                  MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                  SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                  SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                  SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                  C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1130449
                                                                                  Entropy (8bit):7.9990817245216945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                  MD5:F778928C9EB950EF493857F76A5811AD
                                                                                  SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                  SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                  SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                  C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):185569
                                                                                  Entropy (8bit):7.996440771278114
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                  MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                  SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                  SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                  SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                  C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):141225
                                                                                  Entropy (8bit):7.994197909856769
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                  MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                  SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                  SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                  SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                  C:\Windows\SysWOW64\directx\websetup\SETA517.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95576
                                                                                  Entropy (8bit):6.500059286855779
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                  MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                  SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                  SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                  SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\SysWOW64\directx\websetup\SETA537.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1566040
                                                                                  Entropy (8bit):6.387345800194587
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                  MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                  SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                  SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                  SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95576
                                                                                  Entropy (8bit):6.500059286855779
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                  MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                  SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                  SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                  SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1566040
                                                                                  Entropy (8bit):6.387345800194587
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                  MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                  SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                  SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                  SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100360
                                                                                  Entropy (8bit):7.9900557178400815
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                  MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                  SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                  SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                  SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                  Malicious:true
                                                                                  Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                  C:\Windows\SysWOW64\directx\websetup\filelist.dat

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Generic INItialization configuration [DXUpdate]
                                                                                  Category:dropped
                                                                                  Size (bytes):11198
                                                                                  Entropy (8bit):5.298852930715787
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:9NV2ety7h+IZpt1eJ9NWzfxRaTwzxlWINXWgQ83HSbsO6ctIQbjQQZRJi6C+vP+3:9r2et2h+IZpt1eJ9NWjx4MzxlWINXWgn
                                                                                  MD5:4AA32EAF94682FBD23952F377F13DF25
                                                                                  SHA1:DD6DFE27790A757794E3B763F4AE76A9CD464F22
                                                                                  SHA-256:863197BB7FD44227E666B6579DFDB028BB984C64DEC5F4A0E5B80662C7F88B9A
                                                                                  SHA-512:4693CDCB31DA3ACA729196ADC748873176E2D14E8E5813878EBC5DE9A94913262A47A168CD8BDB8C623C05597FD26F04CB1FEC655EA2C4D5AD4693E6560A7EB8
                                                                                  Malicious:false
                                                                                  Preview:[General]..Version=1..[DXUpdate]..Version=9,29,1974,0..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=100360,dxupdate.cab..[DXUpdate_Apr2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49218,Apr2006_xinput_x86.cab..[DXUpdate_Apr2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90309,Apr2006_xinput_x64.cab..[DXUpdate_Aug2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49266,Aug2006_xinput_x86.cab..[DXUpdate_Aug2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90350,Aug2006_xinput_x64.cab..[DXUpdate_Dec2006_d3dx10_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=194952,Dec2006_d3dx10_00_x86.cab..[DXUpdate_Dec2006_d3dx10_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=216015,Dec2006_d3dx10_00_x64.cab..[DXUpdate

                                                                                  C:\Windows\msdownld.tmp\AS6DBD43.tmp\dxupdate.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100360
                                                                                  Entropy (8bit):7.9900557178400815
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                  MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                  SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                  SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                  SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                  Malicious:true
                                                                                  Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                  C:\Windows\msdownld.tmp\AS6DE29D.tmp\Apr2006_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49218
                                                                                  Entropy (8bit):7.962835058038329
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                  MD5:E207FB904E641246F3F7234DB74121FC
                                                                                  SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                  SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                  SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                  Malicious:false
                                                                                  Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                  C:\Windows\msdownld.tmp\AS6DE5F8.tmp\Apr2006_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90309
                                                                                  Entropy (8bit):7.986243949537019
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                  MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                  SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                  SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                  SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                  C:\Windows\msdownld.tmp\AS6DE9C1.tmp\Aug2006_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):49266
                                                                                  Entropy (8bit):7.9632460736333766
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                  MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                  SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                  SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                  SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                  Malicious:false
                                                                                  Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                  C:\Windows\msdownld.tmp\AS6DECA0.tmp\Aug2006_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):90350
                                                                                  Entropy (8bit):7.985841057262195
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                  MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                  SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                  SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                  SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                  C:\Windows\msdownld.tmp\AS6DEFDC.tmp\Dec2006_d3dx10_00_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):194952
                                                                                  Entropy (8bit):7.9966042762544145
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                  MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                  SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                  SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                  SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                  C:\Windows\msdownld.tmp\AS6DF3D3.tmp\Dec2006_d3dx10_00_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):216015
                                                                                  Entropy (8bit):7.996946294916653
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                  MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                  SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                  SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                  SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                  C:\Windows\msdownld.tmp\AS6DF7BB.tmp\Apr2007_xinput_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):56510
                                                                                  Entropy (8bit):7.973777529821975
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                  MD5:B362EC93463D8B6381A864D35D38C512
                                                                                  SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                  SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                  SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                  Malicious:false
                                                                                  Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                  C:\Windows\msdownld.tmp\AS6DFAF7.tmp\Apr2007_xinput_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):100025
                                                                                  Entropy (8bit):7.988437274786544
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                  MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                  SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                  SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                  SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                  Malicious:false
                                                                                  Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                  C:\Windows\msdownld.tmp\AS6DFE72.tmp\Feb2005_d3dx9_24_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1016433
                                                                                  Entropy (8bit):7.998972724711677
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                  MD5:7029866BA46EC477449510BEEE74F473
                                                                                  SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                  SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                  SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                  C:\Windows\msdownld.tmp\AS6E0373.tmp\Apr2005_d3dx9_25_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082170
                                                                                  Entropy (8bit):7.999075135168916
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                  MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                  SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                  SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                  SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                  C:\Windows\msdownld.tmp\AS6E0855.tmp\Jun2005_d3dx9_26_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1068133
                                                                                  Entropy (8bit):7.999040217820951
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                  MD5:029359EBCA4BA5945282E0C021B26102
                                                                                  SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                  SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                  SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                  C:\Windows\msdownld.tmp\AS6E0D47.tmp\Aug2005_d3dx9_27_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1080852
                                                                                  Entropy (8bit):7.999138982152864
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                  MD5:3E91448A7481A78318DCE123790EE31A
                                                                                  SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                  SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                  SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                  C:\Windows\msdownld.tmp\AS6E1239.tmp\Dec2005_d3dx9_28_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1082664
                                                                                  Entropy (8bit):7.999121865147412
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                  MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                  SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                  SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                  SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                  C:\Windows\msdownld.tmp\AS6E172A.tmp\Feb2006_d3dx9_29_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1087928
                                                                                  Entropy (8bit):7.99922866964108
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                  MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                  SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                  SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                  SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                  C:\Windows\msdownld.tmp\AS6E1C5A.tmp\Apr2006_d3dx9_30_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1118429
                                                                                  Entropy (8bit):7.999050518080374
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                  MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                  SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                  SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                  SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                  C:\Windows\msdownld.tmp\AS6E215C.tmp\Oct2006_d3dx9_31_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1130449
                                                                                  Entropy (8bit):7.9990817245216945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                  MD5:F778928C9EB950EF493857F76A5811AD
                                                                                  SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                  SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                  SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                  C:\Windows\msdownld.tmp\AS6E265D.tmp\Dec2006_d3dx9_32_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1577608
                                                                                  Entropy (8bit):7.999092247669469
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                  MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                  SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                  SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                  SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                  C:\Windows\msdownld.tmp\AS6E2BFA.tmp\Apr2007_d3dx9_33_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1609247
                                                                                  Entropy (8bit):7.999284261824255
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                  MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                  SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                  SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                  SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                  C:\Windows\msdownld.tmp\AS6E31A7.tmp\Apr2007_d3dx10_33_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):699073
                                                                                  Entropy (8bit):7.998968028413629
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                  MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                  SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                  SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                  SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                  C:\Windows\msdownld.tmp\AS6E364B.tmp\Jun2007_d3dx9_34_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610494
                                                                                  Entropy (8bit):7.999066428256981
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                  MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                  SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                  SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                  SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                  C:\Windows\msdownld.tmp\AS6E3C17.tmp\Jun2007_d3dx10_34_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701680
                                                                                  Entropy (8bit):7.9989902264021255
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                  MD5:19383CBADA5DF3662303271CC9882314
                                                                                  SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                  SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                  SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                  Malicious:true
                                                                                  Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                  C:\Windows\msdownld.tmp\AS6E40DA.tmp\Aug2007_d3dx9_35_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1711360
                                                                                  Entropy (8bit):7.999186916403002
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                  MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                  SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                  SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                  SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                  C:\Windows\msdownld.tmp\AS6E4649.tmp\Aug2007_d3dx10_35_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):800075
                                                                                  Entropy (8bit):7.9986813742013325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                  MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                  SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                  SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                  SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                  C:\Windows\msdownld.tmp\AS6E4B3A.tmp\Nov2007_d3dx9_36_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1712568
                                                                                  Entropy (8bit):7.999078652914364
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                  MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                  SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                  SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                  SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                  C:\Windows\msdownld.tmp\AS6E50C8.tmp\Nov2007_d3dx10_36_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):807092
                                                                                  Entropy (8bit):7.998858073625772
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                  MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                  SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                  SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                  SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                  C:\Windows\msdownld.tmp\AS6E558B.tmp\Mar2008_d3dx9_37_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1446490
                                                                                  Entropy (8bit):7.99972380205062
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                  MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                  SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                  SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                  SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                  C:\Windows\msdownld.tmp\AS6E5B38.tmp\Mar2008_d3dx10_37_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):821468
                                                                                  Entropy (8bit):7.9989494569533655
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                  MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                  SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                  SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                  SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                  C:\Windows\msdownld.tmp\AS6E601A.tmp\Jun2008_d3dx9_38_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467086
                                                                                  Entropy (8bit):7.999726422350297
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                  MD5:E2FB2E37C342983493C776BD81943978
                                                                                  SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                  SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                  SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                  C:\Windows\msdownld.tmp\AS6E6569.tmp\Jun2008_d3dx10_38_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):853127
                                                                                  Entropy (8bit):7.998980130768887
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                  MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                  SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                  SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                  SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                  C:\Windows\msdownld.tmp\AS6E6A7A.tmp\Aug2008_d3dx9_39_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1467880
                                                                                  Entropy (8bit):7.999682997096517
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                  MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                  SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                  SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                  SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                  C:\Windows\msdownld.tmp\AS6E6FE9.tmp\Aug2008_d3dx10_39_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):852375
                                                                                  Entropy (8bit):7.998886184584254
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                  MD5:5380053AC4C344BD38604022476B1C1D
                                                                                  SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                  SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                  SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                  C:\Windows\msdownld.tmp\AS6E7509.tmp\Nov2008_d3dx9_40_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1554004
                                                                                  Entropy (8bit):7.999645278979612
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                  MD5:75556D89FDD442967A23993C9111D997
                                                                                  SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                  SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                  SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                  C:\Windows\msdownld.tmp\AS6E7AA7.tmp\Nov2008_d3dx10_40_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):968629
                                                                                  Entropy (8bit):7.999011847061652
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                  MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                  SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                  SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                  SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                  C:\Windows\msdownld.tmp\AS6E7FC7.tmp\Mar2009_d3dx9_41_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1615654
                                                                                  Entropy (8bit):7.999772423092358
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                  MD5:901567428D8C82756D7BF5A406441BD7
                                                                                  SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                  SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                  SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                  Malicious:true
                                                                                  Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                  C:\Windows\msdownld.tmp\AS6E8565.tmp\Mar2009_d3dx10_41_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1043953
                                                                                  Entropy (8bit):7.998757160305283
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                  MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                  SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                  SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                  SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                  Malicious:true
                                                                                  Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                  C:\Windows\msdownld.tmp\AS6E8A66.tmp\Aug2009_d3dx9_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):731664
                                                                                  Entropy (8bit):7.999475174279291
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                  MD5:9BC8213933598D050827D20A4573486C
                                                                                  SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                  SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                  SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                  C:\Windows\msdownld.tmp\AS6E8F39.tmp\Aug2009_d3dx10_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195339
                                                                                  Entropy (8bit):7.996178589789764
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                  MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                  SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                  SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                  SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                  Malicious:true
                                                                                  Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                  C:\Windows\msdownld.tmp\AS6E9311.tmp\Aug2009_d3dx11_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):108252
                                                                                  Entropy (8bit):7.991332626956763
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                  MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                  SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                  SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                  SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                  C:\Windows\msdownld.tmp\AS6E96BA.tmp\Aug2009_d3dcsx_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):3322948
                                                                                  Entropy (8bit):7.9992960947448655
                                                                                  Encrypted:true
                                                                                  SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                  MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                  SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                  SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                  SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                  Malicious:true
                                                                                  Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                  C:\Windows\msdownld.tmp\AS6E9DFE.tmp\Aug2009_D3DCompiler_42_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):903806
                                                                                  Entropy (8bit):7.998441664012848
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                  MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                  SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                  SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                  SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                  C:\Windows\msdownld.tmp\AS6EA2FF.tmp\Jun2010_d3dx9_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):771244
                                                                                  Entropy (8bit):7.999380380890997
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                  MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                  SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                  SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                  SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                  C:\Windows\msdownld.tmp\AS6EA7A3.tmp\Jun2010_d3dx10_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200491
                                                                                  Entropy (8bit):7.9966634458730566
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                  MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                  SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                  SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                  SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                  Malicious:true
                                                                                  Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                  C:\Windows\msdownld.tmp\AS6EAB9A.tmp\Jun2010_d3dx11_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):112653
                                                                                  Entropy (8bit):7.991810619702373
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                  MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                  SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                  SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                  SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                  Malicious:true
                                                                                  Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                  C:\Windows\msdownld.tmp\AS6EAF05.tmp\Jun2010_d3dcsx_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):765396
                                                                                  Entropy (8bit):7.996955154936438
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                  MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                  SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                  SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                  SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                  C:\Windows\msdownld.tmp\AS6EB3B8.tmp\Jun2010_D3DCompiler_43_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):934679
                                                                                  Entropy (8bit):7.998315243107519
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                  MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                  SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                  SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                  SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                  Malicious:true
                                                                                  Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                  C:\Windows\msdownld.tmp\AS6EB8D9.tmp\Feb2005_d3dx9_24_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1250707
                                                                                  Entropy (8bit):7.999567218170613
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                  MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                  SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                  SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                  SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                  C:\Windows\msdownld.tmp\AS6EBE19.tmp\Apr2005_d3dx9_25_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1350562
                                                                                  Entropy (8bit):7.999714569554039
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                  MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                  SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                  SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                  SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                  C:\Windows\msdownld.tmp\AS6EC349.tmp\Jun2005_d3dx9_26_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1339234
                                                                                  Entropy (8bit):7.999619123900207
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                  MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                  SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                  SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                  SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                  Malicious:true
                                                                                  Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                  C:\Windows\msdownld.tmp\AS6EC898.tmp\Aug2005_d3dx9_27_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1353750
                                                                                  Entropy (8bit):7.999671999388792
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                  MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                  SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                  SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                  SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                  Malicious:true
                                                                                  Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                  C:\Windows\msdownld.tmp\AS6ECDC8.tmp\Dec2005_d3dx9_28_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1361184
                                                                                  Entropy (8bit):7.9996739284035945
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                  MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                  SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                  SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                  SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                  C:\Windows\msdownld.tmp\AS6ED327.tmp\Feb2006_d3dx9_29_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1366004
                                                                                  Entropy (8bit):7.99967777757325
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                  MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                  SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                  SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                  SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                  C:\Windows\msdownld.tmp\AS6ED8B5.tmp\Feb2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):135617
                                                                                  Entropy (8bit):7.992141777548868
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                  MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                  SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                  SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                  SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                  C:\Windows\msdownld.tmp\AS6EDC5F.tmp\Feb2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):181567
                                                                                  Entropy (8bit):7.99567918868168
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                  MD5:582102046D298E7B439C819895F6061D
                                                                                  SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                  SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                  SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                  C:\Windows\msdownld.tmp\AS6EE018.tmp\Apr2006_d3dx9_30_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1401038
                                                                                  Entropy (8bit):7.999678252363499
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                  MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                  SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                  SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                  SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                  C:\Windows\msdownld.tmp\AS6EE5B5.tmp\Apr2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136311
                                                                                  Entropy (8bit):7.992811243778454
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                  MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                  SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                  SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                  SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                  C:\Windows\msdownld.tmp\AS6EE93F.tmp\Apr2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):182341
                                                                                  Entropy (8bit):7.996367169399176
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                  MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                  SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                  SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                  SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                  Malicious:true
                                                                                  Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                  C:\Windows\msdownld.tmp\AS6EED08.tmp\Jun2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):136903
                                                                                  Entropy (8bit):7.992894428315885
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                  MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                  SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                  SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                  SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                  C:\Windows\msdownld.tmp\AS6EF092.tmp\Jun2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):183993
                                                                                  Entropy (8bit):7.996017590596314
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                  MD5:D404CCED69740A65A3051766A37D0885
                                                                                  SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                  SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                  SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                  Malicious:true
                                                                                  Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                  C:\Windows\msdownld.tmp\AS6EF4B9.tmp\Aug2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):140443
                                                                                  Entropy (8bit):7.993872348182751
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                  MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                  SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                  SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                  SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                  C:\Windows\msdownld.tmp\AS6EF8A1.tmp\Aug2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):186111
                                                                                  Entropy (8bit):7.995685991314543
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                  MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                  SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                  SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                  SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                  Malicious:true
                                                                                  Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                  C:\Windows\msdownld.tmp\AS6EFC6A.tmp\Oct2006_d3dx9_31_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1416110
                                                                                  Entropy (8bit):7.999689455720137
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                  MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                  SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                  SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                  SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                  C:\Windows\msdownld.tmp\AS6F0207.tmp\Oct2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):141225
                                                                                  Entropy (8bit):7.994197909856769
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                  MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                  SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                  SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                  SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                  C:\Windows\msdownld.tmp\AS6F05B1.tmp\Oct2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):185569
                                                                                  Entropy (8bit):7.996440771278114
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                  MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                  SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                  SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                  SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                  C:\Windows\msdownld.tmp\AS6F0979.tmp\Dec2006_d3dx9_32_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1574362
                                                                                  Entropy (8bit):7.999757508861621
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                  MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                  SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                  SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                  SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                  C:\Windows\msdownld.tmp\AS6F0ED8.tmp\Dec2006_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):148831
                                                                                  Entropy (8bit):7.993942345904899
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                  MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                  SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                  SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                  SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                  C:\Windows\msdownld.tmp\AS6F12C0.tmp\Dec2006_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):195683
                                                                                  Entropy (8bit):7.996606477865772
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2Eq:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bi
                                                                                  MD5:F34FFBDB67DCF84092C9D321E3343D3F
                                                                                  SHA1:52FAFA930C3464E070E1E4692D4600B12678E9D7
                                                                                  SHA-256:BDAF9C41F83E65DE2B73AACA2002541D48C65F551CFA0578B3259D3BFCA54EAD
                                                                                  SHA-512:A78D32EE71F5B4214E9B8B95FB8BDD4B629D34529FAD7A494219175CE5CC129A3F5C500D426AFE0DE6A680977FB86ABF0B77BE353D8D19D6ED1A11C421C6E757
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                  C:\Windows\msdownld.tmp\AS6F1699.tmp\Feb2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):151191
                                                                                  Entropy (8bit):7.993972565562067
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                  MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                  SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                  SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                  SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                  C:\Windows\msdownld.tmp\AS6F1A42.tmp\Feb2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):197883
                                                                                  Entropy (8bit):7.995921670109717
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                  MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                  SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                  SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                  SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                  Malicious:true
                                                                                  Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                  C:\Windows\msdownld.tmp\AS6F1E4A.tmp\Apr2007_d3dx9_33_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1610566
                                                                                  Entropy (8bit):7.999804070832858
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                  MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                  SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                  SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                  SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                  C:\Windows\msdownld.tmp\AS6F23F7.tmp\Apr2007_d3dx10_33_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):701820
                                                                                  Entropy (8bit):7.999560976493214
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                  MD5:906318E8C444DAAAEA30550D5024F235
                                                                                  SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                  SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                  SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                  C:\Windows\msdownld.tmp\AS6F28E8.tmp\Apr2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):154433
                                                                                  Entropy (8bit):7.994491966822324
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                  MD5:8922189C0A46D26B2C52C65515D87180
                                                                                  SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                  SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                  SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                  Malicious:true
                                                                                  Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                  C:\Windows\msdownld.tmp\AS6F2CB1.tmp\Apr2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):198974
                                                                                  Entropy (8bit):7.996718266567073
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                  MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                  SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                  SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                  SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                  Malicious:true
                                                                                  Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                  C:\Windows\msdownld.tmp\AS6F30A9.tmp\Jun2007_d3dx9_34_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1611006
                                                                                  Entropy (8bit):7.999795394912666
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                  MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                  SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                  SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                  SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                  C:\Windows\msdownld.tmp\AS6F3627.tmp\Jun2007_d3dx10_34_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):702252
                                                                                  Entropy (8bit):7.999542751209748
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                  MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                  SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                  SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                  SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                  Malicious:true
                                                                                  Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                  C:\Windows\msdownld.tmp\AS6F3AEA.tmp\Jun2007_xact_x86.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):156117
                                                                                  Entropy (8bit):7.994909703055095
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                  MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                  SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                  SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                  SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                  C:\Windows\msdownld.tmp\AS6F3EC2.tmp\Jun2007_xact_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):200354
                                                                                  Entropy (8bit):7.996324633982409
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                  MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                  SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                  SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                  SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                  C:\Windows\msdownld.tmp\AS6F42E9.tmp\Aug2007_d3dx9_35_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 1794200 bytes, 6 files, at 0x44 +A "d3dx9_35_x64.cat" +A "d3dx9_35.dll", flags 0x4, ID 8299, number 1, extra bytes 20 in head, 158 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):1803368
                                                                                  Entropy (8bit):7.9998161056633865
                                                                                  Encrypted:true
                                                                                  SSDEEP:24576:PMXSYnySbH+yjdYmHPvYn1ZaRSJwF3IwnWkKxpnQfp9sDEYuNHtMJ11yD6TgkRW1:0XS+q4YoIyIJwNImAQHNNMncD6MedsR
                                                                                  MD5:DDFEF236E7D70471AAA1741A8ABFB735
                                                                                  SHA1:5F7ACDE3116A6D4363410D984B9C8919674EC9C9
                                                                                  SHA-256:28B6FF092DE67717C47649C87E7114C34325EDDA199CE2943403C4F3F4C3E0B2
                                                                                  SHA-512:00990F7E6F266C67385813B0BA399A2A2C970DCFAAEB7FAB183E2EC0CC50613CB0AD57200BCDC731900D8F7E609C95E8FF9CDDAA52BCE2CCEDBCF4E9F74008CE
                                                                                  Malicious:true
                                                                                  Preview:MSCF.....`......D...............k ...........`...#...................(.........6P. .d3dx9_35_x64.cat.hiM..(.....6. .d3dx9_35.dll.h.....M....6.. .infinst.exe.,...h.N....6C. .aug2007_d3dx9_35_x64.inf.......N....6C. .d3dx9_35_x64.inf...../.N....6C. .d3dx9_35_x64_xp.inf.`^Q.b...[...V .buM....5!.f...O.....v.0]..p..n....A.#..I)]......1H..].5.eJT#K..c33W3.x..}.....5.w....1.v%2....:.izc.ee...ekW{;d.j.....gW....U3./.g.03..1.,i.9...KH.x.r.vN."....K:......X4......|..@..../...........X...{.z....{o}..u.&..........m....L.o5...m>19.....& b$G..&.Q.y& .'.F..l.!...P..H'1....u.....<...W...U.ei.[1X.P/..*To0.'.U.5e.(#.`.DV.M..Lpf....9U.7u}.s.j4v..d...O..#P.."l...,a@w%..K.K'.V.@u...7h.CF.d...L.QI.$M.:&HR....:."F.G...M.$&.#...h..].bF...=R=....O}....p.Xf.2Lp.z...]....HSz.1z.h%.t.4.2u-_.T..c$...p....n_....n.b..R...*rXT#.Y.ZX.X."`..Id)%f..S.I4m.%,t@.GN..s\.U._.K.0...y.......k..i.3...zgtL@...G..%I.I...#.|^V.?.IJ>..)..~y.Y...L....A.l.j.i.h...'.3X...*..../`.N...s.,.k...J?.._.

                                                                                  C:\Windows\msdownld.tmp\AS6F48B5.tmp\Aug2007_d3dx10_35_x64.cab

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  File Type:Microsoft Cabinet archive data, many, 846326 bytes, 7 files, at 0x44 +A "d3dx10_35_x64.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 10170, number 1, extra bytes 20 in head, 79 datablocks, 0x1503 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):855494
                                                                                  Entropy (8bit):7.999465744344346
                                                                                  Encrypted:true
                                                                                  SSDEEP:12288:zjF8w0LrsXJsv8dTWuiF8xcg+6FPwZuTCsIJRTrDUrcLUWKUlmeLbPzifDrr2VNt:t5YidTlG8htw6CRXLUW5VDSMKCZH1
                                                                                  MD5:8F715D741B7401547A263FD4AF02E7BA
                                                                                  SHA1:39C031174008A0E7BD603A5670F578C0CC6443DD
                                                                                  SHA-256:C97275F60E2F25732B3B264B8BDF9CFDAA39D6E5B189C08FAB5CD7A04FAE9BF7
                                                                                  SHA-512:27CDB534361C1F6205585E1BAABD83B03F6715D29AFB61351F660BED1CCD1EF035C6541AD7E4C551BFDD2AA8FE77A903D23EB27618ED369C37A369D373467C8C
                                                                                  Malicious:true
                                                                                  Preview:MSCF............D................'...............#..........4...O....).........6T. .d3dx10_35_x64.cat.pM...).....6. .d3dcompiler_35.dll.h...2w.....6. .d3dx10_35.dll.h....8&....6.. .infinst.exe./....J'....6G. .aug2007_d3dx10_35_x64.inf.....1M'....6G. .d3dx10_35_x64.inf......O'....6G. .d3dx10_35_x64_xp.inf..i......[.....@...R.P...O...t...(.'...#.J.%..]L!..t.R]Q.$!*!\"$../.I$......4".w...e.....K.Y.(...v.NP...l..0...F.j..@v0(m..A...T1HO.....@.....{..................g.n./.. ........Q.\....'.D:.KQ.......... .. .N.)..PPD.w j..'.D....b.....J........w.b...6...].C..0..A.....P..D.AU.....+.t.l@\..H.....'..H.,A....I.&.A.x!...m....?^AL...o...K.......e...B.*|......=.....@o........p_...d.......!c......t....T.c.R...Y.\.6.?]7.5..3HD............p....B./.(..vi......<......I}<...x.o.7e...?... .......#...>..`i.....qR[./.........~......0s....;...*.?(.S.jH#.C.ksZ.6.+.&.._.....>O..S.o.......B....<.........l..>.N.]....=7..RC.@6.K.....Pn.%........T.c..lh.T..f.......l .g:.....w...

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                  Entropy (8bit):7.999178152403803
                                                                                  TrID:
                                                                                  • ZIP compressed archive (8000/1) 100.00%
                                                                                  File name:Palworld.zip
                                                                                  File size:366'895 bytes
                                                                                  MD5:4af36f42ac61e323cfa0de0eed389cbd
                                                                                  SHA1:0e407221f4c2ec47349c8c082bd8c9a48b6fba82
                                                                                  SHA256:aeb353769a5660d11af3fe28faf383cef65ba1ec9e1ba17d60c12a77bffde2fb
                                                                                  SHA512:fa78213cf874d9f690751e49bc0ab6eecb45b61156859593c52e6a5186863d14b00d27075243c5133a82c43474ebda6b2a85674b9567df11ec8ce383da8aed38
                                                                                  SSDEEP:6144:yti7sjGc2lcXmrTkQq5RvbslFk0KvVRqVOj1/jckwTXRw6B+MQxt897:/oCcPgTRqji1KWIjhckGXnQL85
                                                                                  TLSH:307423DCF56136FE8CFD739E4643418EC4BA02DC5B943E8B42204B2CD17066AED5979A
                                                                                  File Content Preview:PK..........>X*w.2............dxwebsetup.exe.}.\TU.......wP0JTJL.3k....a..tt`FS ......^.]...!..i........Z.....z...A...R........4V.....>.9w...}..~..~^..=?....<..q......2..a..d.a.1._.._...0n....=...~.../........k.._.6m..u.j....i.....ui.K.ikk..s......7......

                                                                                  File Icon

                                                                                  Icon Hash:1c1c1e4e4ececedc

                                                                                  Network Behavior

                                                                                  No network behavior found

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:18:56:51
                                                                                  Start date:30/01/2024
                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                  Imagebase:0x7ff66cb30000
                                                                                  File size:71'680 bytes
                                                                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:18:57:06
                                                                                  Start date:30/01/2024
                                                                                  Path:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\Palworld\dxwebsetup.exe"
                                                                                  Imagebase:0x1000000
                                                                                  File size:295'320 bytes
                                                                                  MD5 hash:2CBD6AD183914A0C554F0739069E77D7
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:18:57:06
                                                                                  Start date:30/01/2024
                                                                                  Path:C:\Users\user\Desktop\Palworld\dxwebsetup.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Palworld\dxwebsetup.exe"
                                                                                  Imagebase:0x1000000
                                                                                  File size:295'320 bytes
                                                                                  MD5 hash:2CBD6AD183914A0C554F0739069E77D7
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:18:57:07
                                                                                  Start date:30/01/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                  Imagebase:0x970000
                                                                                  File size:527'360 bytes
                                                                                  MD5 hash:AC3A5F7BE8CD13A863B50AB5FE00B71C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:18:58:37
                                                                                  Start date:30/01/2024
                                                                                  Path:C:\Users\user\Desktop\Palworld\Palworld.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\Palworld\Palworld.exe"
                                                                                  Imagebase:0x7ff6d4370000
                                                                                  File size:182'784 bytes
                                                                                  MD5 hash:A9181A14270AD54407A16516C05817BE
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:22.9%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:24.1%
                                                                                    Total number of Nodes:83
                                                                                    Total number of Limit Nodes:5
                                                                                    execution_graph 220 10017b1 221 10017c4 220->221 222 10017eb GetDesktopWindow 220->222 223 10017c7 221->223 225 10017dd EndDialog 221->225 224 10017fa LoadStringA SetDlgItemTextA MessageBeep 222->224 224->223 225->223 226 1001fb1 wsprintfA 178 1001f34 181 1001ef8 178->181 182 1001f03 181->182 183 1001f2c 181->183 184 1001f20 182->184 185 1001f08 182->185 199 1001ddf GetWindowsDirectoryA 183->199 195 1001ea3 184->195 187 1001f1e 185->187 190 1001e52 RegOpenKeyExA 185->190 191 1001e78 RegQueryValueExA 190->191 192 1001e9b 190->192 193 1001e92 RegCloseKey 191->193 194 1001e8f 191->194 192->187 193->192 194->193 196 1001ec5 195->196 197 1001ee4 196->197 198 1001ec9 RegQueryInfoKeyA 196->198 197->187 198->197 200 1001e01 WritePrivateProfileStringA 199->200 204 1001e4c 199->204 202 1001e32 200->202 203 1001e39 _llseek _lclose 202->203 202->204 203->204 204->187 227 10018b5 GetCurrentProcess OpenProcessToken 228 10018e1 LookupPrivilegeValueA AdjustTokenPrivileges 227->228 229 10018d5 227->229 228->229 230 1001da9 231 1001db2 lstrlen 230->231 232 1001dbe 230->232 231->232 205 100198b RegCreateKeyExA 206 10019f2 205->206 215 1001a34 205->215 207 1001a00 wsprintfA RegQueryValueExA 206->207 208 1001a2f 206->208 207->206 207->208 209 1001a49 GetSystemDirectoryA 208->209 208->215 210 1001a6d LoadLibraryA 209->210 211 1001a85 FreeLibrary 210->211 212 1001b0b GetModuleFileNameA 210->212 211->212 218 1001aa9 GetSystemDirectoryA 211->218 213 1001acc lstrlen lstrlen LocalAlloc 212->213 212->215 213->215 216 1001b2e wsprintfA lstrlen RegSetValueExA RegCloseKey LocalFree 213->216 216->215 218->213 219 1001abb 218->219 219->213 233 100168b 234 10016b8 233->234 238 100179c 233->238 251 10015f6 LoadLibraryA 234->251 237 10016c9 GetCurrentProcess OpenProcessToken 237->238 239 10016e4 GetTokenInformation 237->239 240 1001790 CloseHandle 239->240 241 1001700 GetLastError 239->241 240->238 241->240 242 100170f LocalAlloc 241->242 243 1001720 GetTokenInformation 242->243 244 100178f 242->244 245 1001733 AllocateAndInitializeSid 243->245 246 1001788 LocalFree 243->246 244->240 245->246 247 1001754 245->247 246->244 248 100177f FreeSid 247->248 249 100175b EqualSid 247->249 250 1001772 247->250 248->246 249->247 249->250 250->248 252 1001683 251->252 253 1001627 251->253 252->237 252->238 254 1001679 FreeLibrary 253->254 255 100163a AllocateAndInitializeSid 253->255 254->252 256 1001678 255->256 257 1001668 FreeSid 255->257 256->254 257->256 259 1001b8b 260 1001ba3 259->260 261 1001c72 259->261 260->261 262 1001bc5 RegQueryValueExA 260->262 262->261 263 1001bf1 GetSystemDirectoryA 262->263 264 1001c1d 263->264 265 1001c2e wsprintfA lstrlen 263->265 264->265 265->261 266 1001f4b 267 1001f55 266->267 268 1001f5a CreateDirectoryA 267->268 269 1001f68 267->269 268->269 270 1001f6e GetWindowsDirectoryA 271 1001f8d 270->271

                                                                                    Callgraph

                                                                                    Executed Functions

                                                                                    Function 0100198B Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 169registrystringlibraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • RegCreateKeyExA.KERNELBASE(80000002,0100A0C4,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 010019E4
                                                                                    • wsprintfA.USER32 ref: 01001A09
                                                                                    • RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?), ref: 01001A1D
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001A56
                                                                                    • LoadLibraryA.KERNELBASE(00000000), ref: 01001A74
                                                                                    • FreeLibrary.KERNELBASE(?), ref: 01001A9F
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001AB1
                                                                                    • lstrlen.KERNEL32(0100AC44), ref: 01001AD7
                                                                                    • lstrlen.KERNEL32(00000000), ref: 01001AE2
                                                                                    • LocalAlloc.KERNEL32(00000040,00000050), ref: 01001AEB
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001B19
                                                                                    • wsprintfA.USER32 ref: 01001B59
                                                                                    • lstrlen.KERNEL32(00000000), ref: 01001B63
                                                                                    • RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000001), ref: 01001B70
                                                                                    • RegCloseKey.KERNELBASE(?), ref: 01001B79
                                                                                    • LocalFree.KERNEL32(00000000), ref: 01001B80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AllocCloseCreateFileLoadModuleNameQuery
                                                                                    • String ID: %s /D:%s$DelNodeRunDLL32$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                    • API String ID: 3721875013-3876174064
                                                                                    • Opcode ID: 5d94104a00e9d0ccd01717d02609a08f8015148e237d1d63623d6869345cfc5d
                                                                                    • Instruction ID: bcd9c67c776e79ec80fa89b258506c9e143caafd4bb2848af9ab02cf1fab0281
                                                                                    • Opcode Fuzzy Hash: 5d94104a00e9d0ccd01717d02609a08f8015148e237d1d63623d6869345cfc5d
                                                                                    • Instruction Fuzzy Hash: 31514071A40218BBEB229BA5DD49EDE7BBCEB08700F004495F685E6085D7B9DA41CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01001E52 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 24 1001e52-1001e76 RegOpenKeyExA 25 1001e78-1001e8d RegQueryValueExA 24->25 26 1001e9b-1001ea0 24->26 27 1001e92-1001e95 RegCloseKey 25->27 28 1001e8f 25->28 27->26 28->27
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 01001E6E
                                                                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?), ref: 01001E85
                                                                                    • RegCloseKey.KERNELBASE(?), ref: 01001E95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3677997916-0
                                                                                    • Opcode ID: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                    • Instruction ID: 28be454f978d5970a4e16e1394c3bca2c1ef4d0bed3d580e281dbf39f647a0de
                                                                                    • Opcode Fuzzy Hash: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                    • Instruction Fuzzy Hash: E1F0D475A01128FBEB229F92DD08DEFBFACEF057A0F008055F98996150D771DA10EBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0100168B Relevance: 16.6, APIs: 11, Instructions: 107memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 010015F6: LoadLibraryA.KERNEL32(advapi32.dll), ref: 0100161A
                                                                                      • Part of subcall function 010015F6: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0100165E
                                                                                      • Part of subcall function 010015F6: FreeSid.ADVAPI32(?), ref: 01001672
                                                                                      • Part of subcall function 010015F6: FreeLibrary.KERNEL32(?), ref: 0100167C
                                                                                    • GetCurrentProcess.KERNEL32(00000008,?), ref: 010016CF
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 010016D6
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 010016F6
                                                                                    • GetLastError.KERNEL32 ref: 01001700
                                                                                    • LocalAlloc.KERNEL32(00000000,?), ref: 01001714
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 0100172D
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0100174A
                                                                                    • EqualSid.ADVAPI32(00000004,?), ref: 01001760
                                                                                    • FreeSid.ADVAPI32(?), ref: 01001782
                                                                                    • LocalFree.KERNEL32(00000000), ref: 01001789
                                                                                    • CloseHandle.KERNEL32(?), ref: 01001793
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AllocCloseCurrentEqualErrorHandleLastLoadOpen
                                                                                    • String ID:
                                                                                    • API String ID: 793078628-0
                                                                                    • Opcode ID: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                    • Instruction ID: fa5215c0b5e6886bf03ae5b40989aa8fe66889e67d1830d7472693dfac7b44e0
                                                                                    • Opcode Fuzzy Hash: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                    • Instruction Fuzzy Hash: A7315E71A00249EFEB23DBA49988EEE7BB9FF04340F5004A5F6C5E2085D775D644CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01001C7F Relevance: 16.6, APIs: 11, Instructions: 86stringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01001CAD
                                                                                    • lstrcat.KERNEL32(?,0100128C), ref: 01001CC1
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 01001CD1
                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01001CEB
                                                                                    • lstrcmp.KERNEL32(?,01001288), ref: 01001D02
                                                                                    • lstrcmp.KERNEL32(?,01001284), ref: 01001D18
                                                                                    • lstrcat.KERNEL32(?,?), ref: 01001D30
                                                                                    • lstrcat.KERNEL32(?,?), ref: 01001D59
                                                                                    • FindNextFileA.KERNEL32(?,00000010), ref: 01001D84
                                                                                    • FindClose.KERNEL32(?), ref: 01001D95
                                                                                    • RemoveDirectoryA.KERNEL32(?), ref: 01001D9C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Findlstrcat$Filelstrcmplstrcpy$CloseDirectoryFirstNextRemove
                                                                                    • String ID:
                                                                                    • API String ID: 2848787617-0
                                                                                    • Opcode ID: 4ab2d1adc861ee376fe6417c4b70ad234cb15c40ff7beeece14c99d657c3a8df
                                                                                    • Instruction ID: a00f6dc85045b5a751000bc1c93d4bef5bd8a44fc60f5db9cfdca4d6f7f72306
                                                                                    • Opcode Fuzzy Hash: 4ab2d1adc861ee376fe6417c4b70ad234cb15c40ff7beeece14c99d657c3a8df
                                                                                    • Instruction Fuzzy Hash: 0F3119B690415DABEF62EBB5DD88FCA7BBCAF14340F440592B6C5D2084DBB4D6848F60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010018B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 101 10018b5-10018d3 GetCurrentProcess OpenProcessToken 102 10018e1-1001913 LookupPrivilegeValueA AdjustTokenPrivileges 101->102 103 10018d5-10018df 101->103 105 1001920-100192a 102->105 106 1001915-100191e 102->106 104 1001936-100193e 103->104 111 1001943-1001945 104->111 109 1001940-1001942 105->109 110 100192c-1001931 105->110 106->104 109->111 110->104
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 010018C2
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010018EB
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0100190A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 2349140579-3733053543
                                                                                    • Opcode ID: 5c5867862be160855593b21028be569d484c2d5728f526fa0e32b4ad4f6b976e
                                                                                    • Instruction ID: 05607d40d37e3d7cfa1acf5e7c24027e9414555ed0db78eb33ce689f5d9f9449
                                                                                    • Opcode Fuzzy Hash: 5c5867862be160855593b21028be569d484c2d5728f526fa0e32b4ad4f6b976e
                                                                                    • Instruction Fuzzy Hash: 21014C71642225BAF7329BA28C0DFEF7EACEF06794F000410BA89E40C5D6B5D70496F5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01001B8B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75registrystringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 82 1001b8b-1001b9d 83 1001ba3-1001bbf 82->83 84 1001c7c-1001c7e 82->84 83->84 86 1001bc5-1001beb RegQueryValueExA 83->86 87 1001bf1-1001c1b GetSystemDirectoryA 86->87 88 1001c72-1001c7b 86->88 89 1001c1d-1001c28 87->89 90 1001c2e-1001c69 wsprintfA lstrlen 87->90 88->84 89->90 90->88
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?), ref: 01001BE3
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001C12
                                                                                    • wsprintfA.USER32 ref: 01001C46
                                                                                    • lstrlen.KERNEL32(?), ref: 01001C56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryQuerySystemValuelstrlenwsprintf
                                                                                    • String ID: rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                    • API String ID: 770829711-2593670723
                                                                                    • Opcode ID: e75a87f575a87b88306cb88d64188b753a6e3c5b2626c8ce63df789149fba349
                                                                                    • Instruction ID: 2fb7fcdbff80cae6b570ff950ba8ccadd0e573114065fe0f363dccfd66d38777
                                                                                    • Opcode Fuzzy Hash: e75a87f575a87b88306cb88d64188b753a6e3c5b2626c8ce63df789149fba349
                                                                                    • Instruction Fuzzy Hash: 25215375A4021CBBEB22DBA5DD49FDABB7CEB08740F0000A5F689E6081D7B5DB448F60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010015F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58librarymemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 92 10015f6-1001625 LoadLibraryA 93 1001683-1001688 92->93 94 1001627-1001638 92->94 96 1001679-1001682 FreeLibrary 94->96 97 100163a-1001666 AllocateAndInitializeSid 94->97 96->93 98 1001678 97->98 99 1001668-1001672 FreeSid 97->99 98->96 99->98
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0100161A
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0100165E
                                                                                    • FreeSid.ADVAPI32(?), ref: 01001672
                                                                                    • FreeLibrary.KERNEL32(?), ref: 0100167C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary$AllocateInitializeLoad
                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 2374981305-1888249752
                                                                                    • Opcode ID: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                    • Instruction ID: 7c54915b23e232019903c0576df7497f5bb26148f144bc74401e3466b5a6cae1
                                                                                    • Opcode Fuzzy Hash: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                    • Instruction Fuzzy Hash: 87117071944289FBDB12DFA99C48ADEBFB8EF18344F540099F181A3181C6758A04CB65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01001DDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 112 1001ddf-1001dff GetWindowsDirectoryA 113 1001e01-1001e37 WritePrivateProfileStringA 112->113 114 1001e4d-1001e51 112->114 117 1001e39-1001e46 _llseek _lclose 113->117 118 1001e4c 113->118 117->118 118->114
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01001DF7
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E1D
                                                                                    • _llseek.KERNEL32(00000000,00000000,00000002), ref: 01001E3D
                                                                                    • _lclose.KERNEL32(00000000), ref: 01001E46
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek
                                                                                    • String ID: wininit.ini
                                                                                    • API String ID: 3481966002-4206010578
                                                                                    • Opcode ID: 33bb5396c23d974d2fbc9a26ebd13b6f924a008bcaa109b51e7b3c9eaee11000
                                                                                    • Instruction ID: b7b4abcde96b08424be1b8ef761040528c423947c2d44bd333b95f446d3817fe
                                                                                    • Opcode Fuzzy Hash: 33bb5396c23d974d2fbc9a26ebd13b6f924a008bcaa109b51e7b3c9eaee11000
                                                                                    • Instruction Fuzzy Hash: BCF0AFB6600194A7E732E7799D8CEEB3ABCAB85710F000095B7D9E30C0D6B8C9458B70
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010017B1 Relevance: 7.5, APIs: 5, Instructions: 40windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 119 10017b1-10017c2 120 10017c4-10017c5 119->120 121 10017eb-1001833 GetDesktopWindow LoadStringA SetDlgItemTextA MessageBeep 119->121 122 10017c7-10017c9 120->122 123 10017cb-10017d2 120->123 127 1001839-100183b 121->127 124 100183c-100183d 122->124 123->122 125 10017d4-10017db 123->125 125->122 128 10017dd-10017e9 EndDialog 125->128 127->124 128->127
                                                                                    APIs
                                                                                    • EndDialog.USER32(?,0000083E), ref: 010017E3
                                                                                    • GetDesktopWindow.USER32 ref: 010017EB
                                                                                    • LoadStringA.USER32(?,00000000,00000200), ref: 01001816
                                                                                    • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 0100182B
                                                                                    • MessageBeep.USER32(000000FF), ref: 01001833
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2965122664.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01001000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_1001000_dxwebsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1273765764-0
                                                                                    • Opcode ID: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                    • Instruction ID: dbb55cd7090eff77bfa65d7c4eba401a97cfafb7d2c079e3b47d5aa362050595
                                                                                    • Opcode Fuzzy Hash: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                    • Instruction Fuzzy Hash: D601283140024AABFB265FA4DC4CAEA3AB8BB04745F044564BAA9950E5CBB9CB51CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.5%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:14%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:41
                                                                                    execution_graph 15640 6cbe9ffd 15642 6cbea00f 15640->15642 15648 6cbea05c 15640->15648 15644 6cbea040 15642->15644 15645 6cbea061 15642->15645 15642->15648 15646 6cbd9bc1 167 API calls 15644->15646 15647 6cbd9a40 160 API calls 15645->15647 15646->15648 15647->15648 15649 6cbe9753 15648->15649 15650 6cbd9a40 160 API calls 15649->15650 15651 6cbe9773 15650->15651 15659 6cbdbaf8 15660 6cbdbb0d 15659->15660 15661 6cbdbb9c CloseHandle 15659->15661 15662 6cbdbb14 DisableThreadLibraryCalls CreateMutexA 15660->15662 15664 6cbdbb4e 15660->15664 15663 6cbdbbac GetLastError 15661->15663 15661->15664 15665 6cbdbb55 GetLastError 15662->15665 15666 6cbdbb30 GetLastError 15662->15666 15667 6cbd9bc1 167 API calls 15663->15667 15665->15664 15669 6cbdbb64 15665->15669 15668 6cbdbb44 15666->15668 15670 6cbdbbca 15667->15670 15671 6cbd9bc1 167 API calls 15668->15671 15672 6cbd9a40 160 API calls 15669->15672 15670->15664 15671->15664 15673 6cbdbb6e CloseHandle 15672->15673 15673->15664 15674 6cbdbb7a GetLastError 15673->15674 15674->15668 12478 6cbea12f 12479 6cbea141 12478->12479 12480 6cbea13d 12478->12480 12481 6cbea155 SetWindowPos 12479->12481 12482 6cbea163 12479->12482 12481->12482 12486 6cbe9c99 12482->12486 12485 6cbea17d EndDialog 12485->12480 12501 6cbd9a40 12486->12501 12489 6cbe9cce 12508 6cbd9bc1 12489->12508 12490 6cbe9ceb ResetEvent 12491 6cbe9cf6 GetLastError 12490->12491 12494 6cbe9d0f 12490->12494 12492 6cbd9bc1 167 API calls 12491->12492 12492->12494 12495 6cbe9d41 12494->12495 12497 6cbe9ce1 12494->12497 12498 6cbe9d6f 12494->12498 12496 6cbd9bc1 167 API calls 12495->12496 12496->12497 12497->12480 12497->12485 12498->12489 12498->12497 12499 6cbe9daf WaitForSingleObject 12498->12499 12499->12497 12500 6cbe9dc2 GetLastError 12499->12500 12500->12489 12575 6cbd9858 12501->12575 12507 6cbd9a84 12507->12489 12507->12490 12507->12494 12509 6cbead54 __wstrtime 61 API calls 12508->12509 12510 6cbd9bf7 12509->12510 12511 6cbeac84 __wstrtime 61 API calls 12510->12511 12512 6cbd9c00 12511->12512 13863 6cbd9a8b 12512->13863 12515 6cbd9894 96 API calls 12516 6cbd9c2b 12515->12516 12517 6cbd9a8b 158 API calls 12516->12517 12518 6cbd9c39 _strrchr 12517->12518 12519 6cbd9894 96 API calls 12518->12519 12520 6cbd9c7e 12519->12520 12521 6cbd9a8b 158 API calls 12520->12521 12522 6cbd9c8c 12521->12522 12523 6cbd9cf9 12522->12523 12525 6cbd9894 96 API calls 12522->12525 12524 6cbd9d95 12523->12524 12526 6cbd9a8b 158 API calls 12523->12526 12528 6cbd9db9 12524->12528 12532 6cbd9a8b 158 API calls 12524->12532 12527 6cbd9c9f 12525->12527 12530 6cbd9d0d 12526->12530 12531 6cbd9a8b 158 API calls 12527->12531 12529 6cbd9de0 12528->12529 12533 6cbd9a8b 158 API calls 12528->12533 12534 6cbd9e5c 12529->12534 12538 6cbd9858 96 API calls 12529->12538 12541 6cbd9894 96 API calls 12530->12541 12535 6cbd9ca7 12531->12535 12532->12528 12536 6cbd9dcc 12533->12536 12537 6cbeae6a ___ansicp 4 API calls 12534->12537 12539 6cbd9cae 12535->12539 12540 6cbd9cd2 12535->12540 12543 6cbd9a8b 158 API calls 12536->12543 12544 6cbd9e69 12537->12544 12545 6cbd9dfa 12538->12545 12553 6cbd9894 96 API calls 12539->12553 12542 6cbd9894 96 API calls 12540->12542 12546 6cbd9d2e 12541->12546 12547 6cbd9ccd 12542->12547 12548 6cbd9dd6 12543->12548 12544->12497 12549 6cbd9a8b 158 API calls 12545->12549 12550 6cbd9a8b 158 API calls 12546->12550 12557 6cbd98cf 160 API calls 12547->12557 12551 6cbd9a8b 158 API calls 12548->12551 12552 6cbd9e04 12549->12552 12554 6cbd9d3c FormatMessageA 12550->12554 12551->12529 12558 6cbd9a8b 158 API calls 12552->12558 12553->12547 12555 6cbd9d7e GetLastError 12554->12555 12556 6cbd9d5b 12554->12556 12561 6cbd9d8b 12555->12561 12562 6cbd9d97 12555->12562 12560 6cbd9a8b 158 API calls 12556->12560 12557->12523 12559 6cbd9e0f 12558->12559 12563 6cbd9a8b 158 API calls 12559->12563 12564 6cbd9d65 12560->12564 12565 6cbd9a40 160 API calls 12561->12565 12566 6cbd9a40 160 API calls 12562->12566 12567 6cbd9e19 12563->12567 12568 6cbd9a8b 158 API calls 12564->12568 12565->12524 12566->12524 12569 6cbd9894 96 API calls 12567->12569 12570 6cbd9d70 LocalFree 12568->12570 12571 6cbd9e38 12569->12571 12570->12524 12576 6cbd9864 12575->12576 12577 6cbd988a 12576->12577 12613 6cbd97a5 12576->12613 12579 6cbd98cf 12577->12579 12580 6cbd98f8 GetWindowsDirectoryA 12579->12580 12581 6cbd998f 12579->12581 12583 6cbd991f 12580->12583 12584 6cbd990f OutputDebugStringA 12580->12584 12581->12584 13248 6cbeae4e 12581->13248 13244 6cbd9894 12583->13244 12608 6cbd9a2a 12584->12608 12588 6cbd99b3 13251 6cbead54 12588->13251 12591 6cbeae6a ___ansicp 4 API calls 12594 6cbd9a39 12591->12594 12592 6cbd994b CreateDirectoryA 12595 6cbd995e GetLastError 12592->12595 12596 6cbd9972 12592->12596 12609 6cbeae6a 12594->12609 12595->12584 12595->12596 12598 6cbd9894 96 API calls 12596->12598 12598->12581 12600 6cbd99ce 12602 6cbd9894 96 API calls 12600->12602 12601 6cbd99f4 12603 6cbd9894 96 API calls 12601->12603 12604 6cbd99ef 12602->12604 12603->12604 13257 6cbeaa91 12604->13257 12606 6cbd9a24 13290 6cbeaa10 12606->13290 12608->12591 12610 6cbeae74 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12609->12610 12611 6cbeae72 12609->12611 12610->12507 12611->12507 12616 6cbea972 12613->12616 12619 6cbea8ba 12616->12619 12620 6cbea8ea 12619->12620 12621 6cbea8ca 12619->12621 12623 6cbea916 12620->12623 12625 6cbea8f9 12620->12625 12634 6cbee2c9 12621->12634 12641 6cbed596 12623->12641 12628 6cbee2c9 _write_string 60 API calls 12625->12628 12630 6cbea8fe 12628->12630 12629 6cbd97be 12629->12577 12632 6cbee272 __fclose_nolock 5 API calls 12630->12632 12631 6cbea945 12631->12629 12684 6cbed391 12631->12684 12632->12629 12705 6cbec305 GetLastError 12634->12705 12636 6cbea8cf 12637 6cbee272 12636->12637 12638 6cbee1c7 OutputDebugStringA 12637->12638 12639 6cbeae6a ___ansicp 4 API calls 12638->12639 12640 6cbee26b 12639->12640 12640->12629 12805 6cbeb670 12641->12805 12644 6cbed607 12645 6cbee2c9 _write_string 60 API calls 12644->12645 12676 6cbed60c 12645->12676 12648 6cbee272 __fclose_nolock 5 API calls 12650 6cbed61e 12648->12650 12649 6cbed674 12649->12644 12654 6cbee4d0 __fileno 60 API calls 12649->12654 12652 6cbeae6a ___ansicp 4 API calls 12650->12652 12651 6cbee4d0 __fileno 60 API calls 12653 6cbed658 12651->12653 12655 6cbee19d 12652->12655 12653->12649 12657 6cbee4d0 __fileno 60 API calls 12653->12657 12656 6cbed69b 12654->12656 12655->12631 12661 6cbee4d0 __fileno 60 API calls 12656->12661 12662 6cbed6c3 __aulldvrm _fprintf 12656->12662 12658 6cbed664 12657->12658 12660 6cbee4d0 __fileno 60 API calls 12658->12660 12660->12649 12663 6cbed6a7 12661->12663 12662->12644 12662->12650 12664 6cbed4e1 94 API calls _write_multi_char 12662->12664 12668 6cbed9f1 12662->12668 12670 6cbeb293 __fclose_nolock 60 API calls 12662->12670 12671 6cbee162 12662->12671 12674 6cbf27d6 72 API calls __cftof 12662->12674 12678 6cbed544 94 API calls _write_string 12662->12678 12679 6cbed519 94 API calls _write_multi_char 12662->12679 12819 6cbf27f8 12662->12819 12663->12662 12665 6cbee4d0 __fileno 60 API calls 12663->12665 12664->12662 12666 6cbed6b3 12665->12666 12669 6cbee4d0 __fileno 60 API calls 12666->12669 12667 6cbeda2f 12672 6cbec162 __amsg_exit 4 API calls 12667->12672 12668->12667 12822 6cbeb8aa 12668->12822 12669->12662 12670->12662 12673 6cbee2c9 _write_string 60 API calls 12671->12673 12677 6cbedd52 12672->12677 12673->12676 12674->12662 12676->12648 12680 6cbedd82 12677->12680 12681 6cbec162 __amsg_exit 4 API calls 12677->12681 12678->12662 12679->12662 12682 6cbec162 __amsg_exit 4 API calls 12680->12682 12683 6cbedda7 12680->12683 12681->12680 12682->12683 12683->12631 12685 6cbee4d0 __fileno 60 API calls 12684->12685 12686 6cbed3a0 12685->12686 12687 6cbed3ab 12686->12687 12688 6cbed3c2 12686->12688 12689 6cbee2c9 _write_string 60 API calls 12687->12689 12690 6cbed3c6 12688->12690 12695 6cbed3d3 12688->12695 12702 6cbed3b0 12689->12702 12691 6cbee2c9 _write_string 60 API calls 12690->12691 12691->12702 12692 6cbed424 12693 6cbed42e 12692->12693 12694 6cbed4ad 12692->12694 12697 6cbed445 12693->12697 12703 6cbed461 12693->12703 12696 6cbf24b7 __locking 94 API calls 12694->12696 12695->12692 12698 6cbed419 12695->12698 12695->12702 13064 6cbf25ec 12695->13064 12696->12702 13073 6cbf24b7 12697->13073 12698->12692 13029 6cbf2598 12698->13029 12702->12629 12703->12702 13032 6cbf1cb8 12703->13032 12719 6cbec1db TlsGetValue 12705->12719 12708 6cbec32a 12709 6cbec375 SetLastError 12708->12709 12724 6cbf1afb 12708->12724 12709->12636 12714 6cbec36c 12747 6cbeb293 12714->12747 12715 6cbec35d 12736 6cbec24c 12715->12736 12718 6cbec365 12718->12709 12720 6cbec1eb 12719->12720 12721 6cbec204 TlsGetValue 12719->12721 12722 6cbec162 __amsg_exit 4 API calls 12720->12722 12721->12708 12723 6cbec1f6 TlsSetValue 12722->12723 12723->12721 12726 6cbf1b04 12724->12726 12727 6cbec33c 12726->12727 12728 6cbf1b22 Sleep 12726->12728 12760 6cbec6ec 12726->12760 12727->12709 12729 6cbec162 TlsGetValue 12727->12729 12728->12726 12730 6cbec17a 12729->12730 12731 6cbec19b GetModuleHandleA 12729->12731 12730->12731 12733 6cbec184 TlsGetValue 12730->12733 12732 6cbec1aa GetProcAddress 12731->12732 12735 6cbec193 12731->12735 12732->12735 12734 6cbec18f 12733->12734 12734->12731 12734->12735 12735->12714 12735->12715 12773 6cbed1a0 12736->12773 12738 6cbec258 GetModuleHandleA 12739 6cbec29e InterlockedIncrement 12738->12739 12740 6cbec27a GetProcAddress GetProcAddress 12738->12740 12774 6cbef9d0 12739->12774 12740->12739 12742 6cbec2c5 12781 6cbf0fc5 InterlockedIncrement 12742->12781 12744 6cbec2e4 12793 6cbec2f7 12744->12793 12746 6cbec2f1 __calloc_impl 12746->12718 12749 6cbeb29f __calloc_impl 12747->12749 12748 6cbeb318 _realloc __calloc_impl 12748->12718 12749->12748 12751 6cbef9d0 __calloc_impl 58 API calls 12749->12751 12759 6cbeb2de 12749->12759 12750 6cbeb2f3 HeapFree 12750->12748 12752 6cbeb305 12750->12752 12755 6cbeb2b6 ___sbh_find_block 12751->12755 12753 6cbee2c9 _write_string 58 API calls 12752->12753 12754 6cbeb30a GetLastError 12753->12754 12754->12748 12756 6cbeb2d0 12755->12756 12796 6cbefa90 12755->12796 12802 6cbeb2e9 12756->12802 12759->12748 12759->12750 12761 6cbec6f8 __calloc_impl 12760->12761 12762 6cbec710 12761->12762 12772 6cbec72f _memset 12761->12772 12763 6cbee2c9 _write_string 59 API calls 12762->12763 12764 6cbec715 12763->12764 12765 6cbee272 __fclose_nolock 5 API calls 12764->12765 12769 6cbec725 __calloc_impl 12765->12769 12766 6cbec7a1 HeapAlloc 12766->12772 12767 6cbef0a3 __calloc_impl TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12767->12772 12768 6cbef9d0 __calloc_impl 59 API calls 12768->12772 12769->12726 12770 6cbf0253 __calloc_impl 5 API calls 12770->12772 12771 6cbec7e8 __calloc_impl LeaveCriticalSection 12771->12772 12772->12766 12772->12767 12772->12768 12772->12769 12772->12770 12772->12771 12773->12738 12775 6cbef9f8 EnterCriticalSection 12774->12775 12776 6cbef9e5 12774->12776 12775->12742 12777 6cbef908 __mtinitlocknum 59 API calls 12776->12777 12778 6cbef9eb 12777->12778 12778->12775 12779 6cbebdfe __amsg_exit 59 API calls 12778->12779 12780 6cbef9f7 12779->12780 12780->12775 12782 6cbf0fe6 12781->12782 12783 6cbf0fe3 InterlockedIncrement 12781->12783 12784 6cbf0ff3 12782->12784 12785 6cbf0ff0 InterlockedIncrement 12782->12785 12783->12782 12786 6cbf0ffd InterlockedIncrement 12784->12786 12787 6cbf1000 12784->12787 12785->12784 12786->12787 12788 6cbf100a InterlockedIncrement 12787->12788 12790 6cbf100d 12787->12790 12788->12790 12789 6cbf1026 InterlockedIncrement 12789->12790 12790->12789 12791 6cbf1041 InterlockedIncrement 12790->12791 12792 6cbf1036 InterlockedIncrement 12790->12792 12791->12744 12792->12790 12794 6cbef8ec _doexit LeaveCriticalSection 12793->12794 12795 6cbec2fe 12794->12795 12795->12746 12797 6cbefacf 12796->12797 12801 6cbefd71 _realloc 12796->12801 12798 6cbefcbb VirtualFree 12797->12798 12797->12801 12799 6cbefd1f 12798->12799 12800 6cbefd2e VirtualFree HeapFree 12799->12800 12799->12801 12800->12801 12801->12756 12803 6cbef8ec _doexit LeaveCriticalSection 12802->12803 12804 6cbeb2f0 12803->12804 12804->12759 12806 6cbeb683 12805->12806 12812 6cbeb6d0 12805->12812 12839 6cbec386 12806->12839 12809 6cbeb6b0 12809->12812 12859 6cbf09d9 12809->12859 12812->12644 12812->12662 12813 6cbee4d0 12812->12813 12814 6cbee4df 12813->12814 12818 6cbed64c 12813->12818 12815 6cbee2c9 _write_string 60 API calls 12814->12815 12816 6cbee4e4 12815->12816 12817 6cbee272 __fclose_nolock 5 API calls 12816->12817 12817->12818 12818->12649 12818->12651 12820 6cbeb670 x_ismbbtype_l 70 API calls 12819->12820 12821 6cbf280b 12820->12821 12821->12662 12823 6cbeb95d 12822->12823 12832 6cbeb8bc 12822->12832 12824 6cbef0a3 __calloc_impl 4 API calls 12823->12824 12825 6cbeb963 12824->12825 12827 6cbee2c9 _write_string 59 API calls 12825->12827 12838 6cbeb955 12827->12838 12830 6cbeb919 HeapAlloc 12830->12832 12832->12830 12833 6cbeb949 12832->12833 12836 6cbeb94e 12832->12836 12832->12838 12896 6cbf14d0 12832->12896 12905 6cbf1346 12832->12905 12939 6cbebe5c 12832->12939 12942 6cbeb856 12832->12942 12950 6cbef0a3 12832->12950 12834 6cbee2c9 _write_string 59 API calls 12833->12834 12834->12836 12837 6cbee2c9 _write_string 59 API calls 12836->12837 12837->12838 12838->12667 12840 6cbec305 _raise 60 API calls 12839->12840 12841 6cbec38e 12840->12841 12842 6cbeb688 12841->12842 12875 6cbebdfe 12841->12875 12842->12809 12844 6cbf113a 12842->12844 12845 6cbf1146 __calloc_impl 12844->12845 12846 6cbec386 __getptd 60 API calls 12845->12846 12847 6cbf114b 12846->12847 12848 6cbf1179 12847->12848 12850 6cbf115d 12847->12850 12849 6cbef9d0 __calloc_impl 60 API calls 12848->12849 12851 6cbf1180 12849->12851 12852 6cbec386 __getptd 60 API calls 12850->12852 12882 6cbf10f7 12851->12882 12854 6cbf1162 12852->12854 12857 6cbebdfe __amsg_exit 60 API calls 12854->12857 12858 6cbf1170 __calloc_impl 12854->12858 12857->12858 12858->12809 12860 6cbf09e5 __calloc_impl 12859->12860 12861 6cbec386 __getptd 60 API calls 12860->12861 12862 6cbf09ea 12861->12862 12863 6cbef9d0 __calloc_impl 60 API calls 12862->12863 12871 6cbf09fc 12862->12871 12864 6cbf0a1a 12863->12864 12865 6cbf0a63 12864->12865 12869 6cbf0a4b InterlockedIncrement 12864->12869 12870 6cbf0a31 InterlockedDecrement 12864->12870 12893 6cbf0a74 12865->12893 12866 6cbebdfe __amsg_exit 60 API calls 12868 6cbf0a0a __calloc_impl 12866->12868 12868->12812 12869->12865 12870->12869 12872 6cbf0a3c 12870->12872 12871->12866 12871->12868 12872->12869 12873 6cbeb293 __fclose_nolock 60 API calls 12872->12873 12874 6cbf0a4a 12873->12874 12874->12869 12876 6cbf14d0 __FF_MSGBANNER 60 API calls 12875->12876 12877 6cbebe08 12876->12877 12878 6cbf1346 __amsg_exit 60 API calls 12877->12878 12879 6cbebe10 12878->12879 12880 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12879->12880 12881 6cbebe1b 12880->12881 12881->12842 12883 6cbf10fb 12882->12883 12884 6cbf112d 12882->12884 12883->12884 12885 6cbf0fc5 ___addlocaleref 8 API calls 12883->12885 12890 6cbf11a4 12884->12890 12886 6cbf110e 12885->12886 12886->12884 12887 6cbf1059 ___removelocaleref 8 API calls 12886->12887 12888 6cbf1119 12887->12888 12888->12884 12889 6cbf0e77 __freeptd 60 API calls 12888->12889 12889->12884 12891 6cbef8ec _doexit LeaveCriticalSection 12890->12891 12892 6cbf11ab 12891->12892 12892->12854 12894 6cbef8ec _doexit LeaveCriticalSection 12893->12894 12895 6cbf0a7b 12894->12895 12895->12871 12953 6cbf500a 12896->12953 12899 6cbf14e4 12901 6cbf1346 __amsg_exit 60 API calls 12899->12901 12903 6cbf1506 12899->12903 12900 6cbf500a __set_error_mode 60 API calls 12900->12899 12902 6cbf14fc 12901->12902 12904 6cbf1346 __amsg_exit 60 API calls 12902->12904 12903->12832 12904->12903 12906 6cbf135a 12905->12906 12907 6cbf500a __set_error_mode 57 API calls 12906->12907 12938 6cbf148b 12906->12938 12908 6cbf137c 12907->12908 12909 6cbf1490 GetStdHandle 12908->12909 12910 6cbf500a __set_error_mode 57 API calls 12908->12910 12911 6cbf149e 12909->12911 12909->12938 12912 6cbf138d 12910->12912 12914 6cbf14b6 WriteFile 12911->12914 12911->12938 12912->12909 12913 6cbf139f 12912->12913 12913->12938 12959 6cbf1b4c 12913->12959 12914->12938 12917 6cbf13d5 GetModuleFileNameA 12919 6cbf13f2 12917->12919 12930 6cbf1415 12917->12930 12921 6cbf1b4c __amsg_exit 57 API calls 12919->12921 12923 6cbf1402 12921->12923 12927 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 12923->12927 12923->12930 12925 6cbf1433 12926 6cbf4c88 __amsg_exit 57 API calls 12925->12926 12929 6cbf1442 12926->12929 12927->12930 12928 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 12928->12925 12931 6cbf1453 12929->12931 12932 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 12929->12932 12971 6cbf4c88 12930->12971 12933 6cbf4c88 __amsg_exit 57 API calls 12931->12933 12932->12931 12934 6cbf1467 12933->12934 12935 6cbf1478 12934->12935 12936 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 12934->12936 12980 6cbf4e65 12935->12980 12936->12935 12938->12832 13017 6cbebe2c GetModuleHandleA 12939->13017 12944 6cbeb862 __calloc_impl 12942->12944 12943 6cbeb893 __calloc_impl 12943->12832 12944->12943 12945 6cbef9d0 __calloc_impl 60 API calls 12944->12945 12946 6cbeb878 12945->12946 13020 6cbf0253 12946->13020 12951 6cbec162 __amsg_exit 4 API calls 12950->12951 12952 6cbef0b3 12951->12952 12952->12832 12954 6cbf5019 12953->12954 12955 6cbf14d7 12954->12955 12956 6cbee2c9 _write_string 60 API calls 12954->12956 12955->12899 12955->12900 12957 6cbf503c 12956->12957 12958 6cbee272 __fclose_nolock 5 API calls 12957->12958 12958->12955 12960 6cbf1b5d 12959->12960 12961 6cbf1b64 12959->12961 12960->12961 12963 6cbf1b8a 12960->12963 12962 6cbee2c9 _write_string 60 API calls 12961->12962 12967 6cbf1b69 12962->12967 12965 6cbf13c1 12963->12965 12966 6cbee2c9 _write_string 60 API calls 12963->12966 12964 6cbee272 __fclose_nolock 5 API calls 12964->12965 12965->12917 12968 6cbee1c7 OutputDebugStringA 12965->12968 12966->12967 12967->12964 12969 6cbeae6a ___ansicp SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12968->12969 12970 6cbee26b 12969->12970 12970->12917 12972 6cbf4ca0 12971->12972 12974 6cbf4c99 12971->12974 12973 6cbee2c9 _write_string 60 API calls 12972->12973 12979 6cbf4ca5 12973->12979 12974->12972 12977 6cbf4cd4 12974->12977 12975 6cbee272 __fclose_nolock 5 API calls 12976 6cbf1420 12975->12976 12976->12925 12976->12928 12977->12976 12978 6cbee2c9 _write_string 60 API calls 12977->12978 12978->12979 12979->12975 12981 6cbec154 _raise TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12980->12981 12982 6cbf4e75 12981->12982 12983 6cbf4e8f LoadLibraryA 12982->12983 12987 6cbf4f36 12982->12987 12984 6cbf4ea7 GetProcAddress 12983->12984 12994 6cbf4ea0 12983->12994 12986 6cbf4eb9 12984->12986 12984->12994 12985 6cbf4fb5 12991 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12985->12991 13007 6cbf4f9a 12985->13007 12988 6cbec0e9 ___crtInitCritSecAndSpinCount TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12986->12988 12987->12985 12989 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12987->12989 12992 6cbf4ebf GetProcAddress 12988->12992 12993 6cbf4f56 12989->12993 12990 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12990->12994 12999 6cbf4fc4 12991->12999 12995 6cbec0e9 ___crtInitCritSecAndSpinCount TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12992->12995 12998 6cbf4f82 12993->12998 13002 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12993->13002 12994->12938 13000 6cbebedc __get_amblksiz 54 API calls 12998->13000 13003 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 12999->13003 12999->13007 13006 6cbf4f75 13002->13006 13003->13007 13006->12985 13006->12998 13007->12990 13018 6cbebe50 ExitProcess 13017->13018 13019 6cbebe40 GetProcAddress 13017->13019 13019->13018 13022 6cbf0281 13020->13022 13021 6cbeb883 13026 6cbeb89c 13021->13026 13022->13021 13024 6cbefdab ___sbh_alloc_new_region HeapReAlloc HeapAlloc VirtualAlloc HeapFree 13022->13024 13025 6cbf031a 13022->13025 13023 6cbefe60 ___sbh_alloc_new_group VirtualAlloc 13023->13021 13024->13025 13025->13021 13025->13023 13027 6cbef8ec _doexit LeaveCriticalSection 13026->13027 13028 6cbeb8a3 13027->13028 13028->12943 13098 6cbec80f 13029->13098 13033 6cbf1cc4 __calloc_impl 13032->13033 13034 6cbf1cd5 13033->13034 13035 6cbf1cf1 13033->13035 13127 6cbee2e1 13034->13127 13037 6cbf1cff 13035->13037 13039 6cbf1d20 13035->13039 13040 6cbee2e1 __lseeki64 60 API calls 13037->13040 13043 6cbf1d66 13039->13043 13044 6cbf1d40 13039->13044 13042 6cbf1d04 13040->13042 13041 6cbee2c9 _write_string 60 API calls 13056 6cbf1ce2 __calloc_impl 13041->13056 13047 6cbee2c9 _write_string 60 API calls 13042->13047 13105 6cbf2a92 13043->13105 13045 6cbee2e1 __lseeki64 60 API calls 13044->13045 13048 6cbf1d45 13045->13048 13050 6cbf1d0b 13047->13050 13051 6cbee2c9 _write_string 60 API calls 13048->13051 13049 6cbf1d6c 13052 6cbf1d79 13049->13052 13053 6cbf1d95 13049->13053 13054 6cbee272 __fclose_nolock 5 API calls 13050->13054 13055 6cbf1d4c 13051->13055 13117 6cbf1c2e 13052->13117 13058 6cbee2c9 _write_string 60 API calls 13053->13058 13054->13056 13059 6cbee272 __fclose_nolock 5 API calls 13055->13059 13056->12702 13061 6cbf1d9a 13058->13061 13059->13056 13060 6cbf1d8a 13130 6cbf1dc7 13060->13130 13062 6cbee2e1 __lseeki64 60 API calls 13061->13062 13062->13060 13065 6cbf25f9 13064->13065 13067 6cbf2608 13064->13067 13066 6cbee2c9 _write_string 60 API calls 13065->13066 13068 6cbf25fe 13066->13068 13069 6cbf262c 13067->13069 13070 6cbee2c9 _write_string 60 API calls 13067->13070 13068->12698 13069->12698 13071 6cbf261c 13070->13071 13072 6cbee272 __fclose_nolock 5 API calls 13071->13072 13072->13069 13074 6cbf24c3 __calloc_impl 13073->13074 13075 6cbf24cb 13074->13075 13076 6cbf24e6 13074->13076 13078 6cbee2e1 __lseeki64 60 API calls 13075->13078 13077 6cbf24f4 13076->13077 13082 6cbf2535 13076->13082 13079 6cbee2e1 __lseeki64 60 API calls 13077->13079 13080 6cbf24d0 13078->13080 13081 6cbf24f9 13079->13081 13083 6cbee2c9 _write_string 60 API calls 13080->13083 13084 6cbee2c9 _write_string 60 API calls 13081->13084 13085 6cbf2a92 __lseeki64 61 API calls 13082->13085 13092 6cbf24d8 __calloc_impl 13083->13092 13086 6cbf2500 13084->13086 13087 6cbf253b 13085->13087 13088 6cbee272 __fclose_nolock 5 API calls 13086->13088 13089 6cbf255e 13087->13089 13090 6cbf2548 13087->13090 13088->13092 13091 6cbee2c9 _write_string 60 API calls 13089->13091 13174 6cbf1dd6 13090->13174 13094 6cbf2563 13091->13094 13092->12702 13096 6cbee2e1 __lseeki64 60 API calls 13094->13096 13095 6cbf2556 13237 6cbf2589 13095->13237 13096->13095 13099 6cbec6ec __calloc_impl 60 API calls 13098->13099 13100 6cbec829 13099->13100 13101 6cbee2c9 _write_string 60 API calls 13100->13101 13104 6cbec848 13100->13104 13102 6cbec83f 13101->13102 13103 6cbee2c9 _write_string 60 API calls 13102->13103 13102->13104 13103->13104 13104->12692 13106 6cbf2a9e __calloc_impl 13105->13106 13107 6cbf2afb 13106->13107 13108 6cbef9d0 __calloc_impl 60 API calls 13106->13108 13109 6cbf2b1e __calloc_impl 13107->13109 13110 6cbf2b01 EnterCriticalSection 13107->13110 13111 6cbf2ac9 13108->13111 13109->13049 13110->13109 13112 6cbf2aef 13111->13112 13113 6cbf2ad4 13111->13113 13146 6cbf2b2a 13112->13146 13133 6cbf1a18 13113->13133 13116 6cbf2ae2 13116->13112 13149 6cbf29fb 13117->13149 13119 6cbf1c4c 13120 6cbf1c65 SetFilePointer 13119->13120 13121 6cbf1c54 13119->13121 13123 6cbf1c7d GetLastError 13120->13123 13124 6cbf1c59 13120->13124 13122 6cbee2c9 _write_string 60 API calls 13121->13122 13122->13124 13123->13124 13125 6cbf1c87 13123->13125 13124->13060 13168 6cbee2f9 13125->13168 13128 6cbec305 _raise 60 API calls 13127->13128 13129 6cbee2e6 13128->13129 13129->13041 13173 6cbf2b38 LeaveCriticalSection 13130->13173 13132 6cbf1dcf 13132->13056 13134 6cbf1a24 __calloc_impl 13133->13134 13135 6cbec162 __amsg_exit TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 13134->13135 13136 6cbf1a34 13135->13136 13137 6cbebe9b __get_wpgmptr 58 API calls 13136->13137 13143 6cbf1a88 __calloc_impl 13136->13143 13138 6cbf1a44 13137->13138 13139 6cbf1a53 13138->13139 13140 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 13138->13140 13141 6cbf1a7d 13139->13141 13142 6cbf1a5c GetModuleHandleW 13139->13142 13140->13139 13145 6cbec0e9 ___crtInitCritSecAndSpinCount TlsGetValue TlsGetValue GetModuleHandleA GetProcAddress 13141->13145 13142->13141 13144 6cbf1a6b GetProcAddress 13142->13144 13143->13116 13144->13141 13145->13143 13147 6cbef8ec _doexit LeaveCriticalSection 13146->13147 13148 6cbf2b31 13147->13148 13148->13107 13150 6cbf2a18 13149->13150 13151 6cbf2a08 13149->13151 13153 6cbf2a1d 13150->13153 13154 6cbf2a27 13150->13154 13152 6cbee2c9 _write_string 60 API calls 13151->13152 13155 6cbf2a0d 13152->13155 13156 6cbee2e1 __lseeki64 60 API calls 13153->13156 13157 6cbf2a75 13154->13157 13159 6cbf2a36 13154->13159 13155->13119 13156->13151 13158 6cbee2e1 __lseeki64 60 API calls 13157->13158 13160 6cbf2a7a 13158->13160 13161 6cbf2a6c 13159->13161 13162 6cbee2e1 __lseeki64 60 API calls 13159->13162 13163 6cbee2c9 _write_string 60 API calls 13160->13163 13161->13119 13164 6cbf2a55 13162->13164 13163->13161 13165 6cbee2c9 _write_string 60 API calls 13164->13165 13166 6cbf2a5c 13165->13166 13167 6cbee272 __fclose_nolock 5 API calls 13166->13167 13167->13161 13169 6cbee2e1 __lseeki64 60 API calls 13168->13169 13170 6cbee304 _realloc 13169->13170 13173->13132 13175 6cbf1e0f 13174->13175 13176 6cbf1e08 13174->13176 13177 6cbf1e3a 13175->13177 13178 6cbf1e13 13175->13178 13179 6cbeae6a ___ansicp 4 API calls 13176->13179 13181 6cbf1ea9 13177->13181 13182 6cbf1e83 13177->13182 13180 6cbee2e1 __lseeki64 60 API calls 13178->13180 13183 6cbf24b0 13179->13183 13184 6cbf1e18 13180->13184 13186 6cbf1ebb 13181->13186 13190 6cbf1c2e __lseeki64 62 API calls 13181->13190 13185 6cbee2e1 __lseeki64 60 API calls 13182->13185 13183->13095 13187 6cbee2c9 _write_string 60 API calls 13184->13187 13189 6cbf1e88 13185->13189 13188 6cbf25ec _fprintf 60 API calls 13186->13188 13191 6cbf1e1f 13187->13191 13192 6cbf1ec4 13188->13192 13193 6cbee2c9 _write_string 60 API calls 13189->13193 13190->13186 13194 6cbee272 __fclose_nolock 5 API calls 13191->13194 13195 6cbf212a 13192->13195 13201 6cbec386 __getptd 60 API calls 13192->13201 13196 6cbf1e91 13193->13196 13194->13176 13198 6cbf23e8 WriteFile 13195->13198 13199 6cbf2138 13195->13199 13197 6cbee272 __fclose_nolock 5 API calls 13196->13197 13197->13176 13202 6cbf241b GetLastError 13198->13202 13228 6cbf22d7 13198->13228 13200 6cbf2207 13199->13200 13213 6cbf214c 13199->13213 13215 6cbf22dc 13200->13215 13217 6cbf2214 13200->13217 13203 6cbf1edf GetConsoleMode 13201->13203 13204 6cbf2125 13202->13204 13203->13195 13205 6cbf1f06 13203->13205 13204->13176 13206 6cbf2467 13204->13206 13210 6cbf243a 13204->13210 13205->13195 13208 6cbf1f17 GetConsoleCP 13205->13208 13206->13176 13209 6cbee2c9 _write_string 60 API calls 13206->13209 13207 6cbf21ab WriteFile 13207->13202 13207->13213 13208->13204 13234 6cbf1f40 13208->13234 13216 6cbf248a 13209->13216 13211 6cbf2459 13210->13211 13212 6cbf2445 13210->13212 13222 6cbee2f9 __dosmaperr 60 API calls 13211->13222 13219 6cbee2c9 _write_string 60 API calls 13212->13219 13213->13204 13213->13206 13213->13207 13214 6cbf234d WideCharToMultiByte 13214->13202 13220 6cbf2384 WriteFile 13214->13220 13215->13206 13215->13214 13223 6cbee2e1 __lseeki64 60 API calls 13216->13223 13217->13206 13218 6cbf2276 WriteFile 13217->13218 13221 6cbf2272 13217->13221 13218->13202 13218->13221 13224 6cbf244a 13219->13224 13225 6cbf23bb GetLastError 13220->13225 13229 6cbf23af 13220->13229 13221->13204 13221->13217 13221->13218 13221->13228 13222->13176 13223->13176 13226 6cbee2e1 __lseeki64 60 API calls 13224->13226 13225->13229 13226->13176 13228->13204 13229->13204 13229->13215 13229->13220 13229->13228 13230 6cbf5814 10 API calls __locking 13232 6cbf2025 13230->13232 13231 6cbf59f7 72 API calls __fassign 13231->13234 13232->13202 13232->13204 13232->13230 13232->13234 13236 6cbf2046 WriteFile 13232->13236 13233 6cbf1fcd WideCharToMultiByte 13233->13204 13235 6cbf2004 WriteFile 13233->13235 13234->13204 13234->13231 13234->13232 13234->13233 13240 6cbf2835 13234->13240 13235->13202 13235->13232 13236->13202 13236->13232 13243 6cbf2b38 LeaveCriticalSection 13237->13243 13239 6cbf2591 13239->13092 13241 6cbf27f8 __isleadbyte_l 70 API calls 13240->13241 13242 6cbf2844 13241->13242 13242->13234 13243->13239 13245 6cbd98a0 13244->13245 13246 6cbd97a5 96 API calls 13245->13246 13247 6cbd98c7 13245->13247 13246->13247 13247->12584 13247->12592 13303 6cbead75 13248->13303 13250 6cbd99a1 13250->12584 13250->12588 13739 6cbeaca5 13251->13739 13254 6cbeac84 13750 6cbeabde 13254->13750 13260 6cbeaa9d __calloc_impl 13257->13260 13258 6cbeaaab 13259 6cbee2c9 _write_string 60 API calls 13258->13259 13261 6cbeaab0 13259->13261 13260->13258 13262 6cbeab71 13260->13262 13264 6cbee4d0 __fileno 60 API calls 13260->13264 13263 6cbee272 __fclose_nolock 5 API calls 13261->13263 13761 6cbee7bd 13262->13761 13269 6cbeaac0 __calloc_impl 13263->13269 13265 6cbeaae9 13264->13265 13268 6cbee4d0 __fileno 60 API calls 13265->13268 13283 6cbeab11 13265->13283 13267 6cbeab89 13767 6cbee88b 13267->13767 13271 6cbeaaf5 13268->13271 13269->12606 13276 6cbee4d0 __fileno 60 API calls 13271->13276 13271->13283 13272 6cbee4d0 __fileno 60 API calls 13274 6cbeab2e 13272->13274 13280 6cbeab56 13274->13280 13281 6cbee4d0 __fileno 60 API calls 13274->13281 13277 6cbeab01 13276->13277 13279 6cbee4d0 __fileno 60 API calls 13277->13279 13279->13283 13280->13258 13280->13262 13284 6cbeab3a 13281->13284 13283->13258 13283->13272 13284->13280 13287 6cbee4d0 __fileno 60 API calls 13284->13287 13288 6cbeab46 13287->13288 13289 6cbee4d0 __fileno 60 API calls 13288->13289 13289->13280 13291 6cbeaa1c __calloc_impl 13290->13291 13292 6cbeaa4d 13291->13292 13293 6cbeaa30 13291->13293 13295 6cbee7bd _fprintf 61 API calls 13292->13295 13301 6cbeaa45 __calloc_impl 13292->13301 13294 6cbee2c9 _write_string 60 API calls 13293->13294 13296 6cbeaa35 13294->13296 13297 6cbeaa65 13295->13297 13298 6cbee272 __fclose_nolock 5 API calls 13296->13298 13801 6cbea994 13297->13801 13298->13301 13301->12608 13304 6cbead81 __calloc_impl 13303->13304 13305 6cbeada6 13304->13305 13306 6cbead94 13304->13306 13308 6cbeadb4 13305->13308 13309 6cbeadd9 13305->13309 13307 6cbee2c9 _write_string 60 API calls 13306->13307 13317 6cbead99 __calloc_impl @_EH4_CallFilterFunc@8 13307->13317 13310 6cbee2c9 _write_string 60 API calls 13308->13310 13325 6cbeed23 13309->13325 13311 6cbeadb9 13310->13311 13313 6cbee272 __fclose_nolock 5 API calls 13311->13313 13313->13317 13314 6cbeadde 13315 6cbeade5 13314->13315 13316 6cbeadf2 13314->13316 13318 6cbee2c9 _write_string 60 API calls 13315->13318 13319 6cbeae19 13316->13319 13320 6cbeadf9 13316->13320 13317->13250 13318->13317 13344 6cbeea7c 13319->13344 13322 6cbee2c9 _write_string 60 API calls 13320->13322 13322->13317 13326 6cbeed2f __calloc_impl 13325->13326 13327 6cbef9d0 __calloc_impl 60 API calls 13326->13327 13328 6cbeed3d 13327->13328 13329 6cbeedae 13328->13329 13330 6cbeedaa 13328->13330 13372 6cbef908 13328->13372 13401 6cbee7f7 13328->13401 13406 6cbee85e 13328->13406 13331 6cbeb8aa __getstream 60 API calls 13329->13331 13369 6cbeee40 13330->13369 13333 6cbeedb8 13331->13333 13333->13330 13337 6cbf1a18 ___crtInitCritSecAndSpinCount 60 API calls 13333->13337 13334 6cbeee35 __calloc_impl 13334->13314 13338 6cbeeddd 13337->13338 13339 6cbeedfb EnterCriticalSection 13338->13339 13340 6cbeede8 13338->13340 13339->13330 13342 6cbeb293 __fclose_nolock 60 API calls 13340->13342 13343 6cbeedf0 13342->13343 13343->13330 13345 6cbeea9e 13344->13345 13346 6cbeeab2 13345->13346 13356 6cbeead1 13345->13356 13347 6cbee2c9 _write_string 60 API calls 13346->13347 13348 6cbeeab7 13347->13348 13349 6cbee272 __fclose_nolock 5 API calls 13348->13349 13355 6cbeae24 13349->13355 13350 6cbeecbd 13352 6cbee2c9 _write_string 60 API calls 13350->13352 13351 6cbeecd7 13417 6cbf35a2 13351->13417 13354 6cbeecc2 13352->13354 13357 6cbee272 __fclose_nolock 5 API calls 13354->13357 13366 6cbeae3f 13355->13366 13356->13350 13365 6cbeec6d 13356->13365 13420 6cbf3974 13356->13420 13357->13355 13362 6cbf37e8 95 API calls 13363 6cbeec84 13362->13363 13364 6cbf37e8 95 API calls 13363->13364 13363->13365 13364->13365 13365->13350 13365->13351 13732 6cbee824 13366->13732 13368 6cbeae47 13368->13317 13411 6cbef8ec LeaveCriticalSection 13369->13411 13371 6cbeee47 13371->13334 13373 6cbef914 __calloc_impl 13372->13373 13374 6cbef93c 13373->13374 13375 6cbef924 13373->13375 13383 6cbef94a __calloc_impl 13374->13383 13390 6cbef93a 13374->13390 13376 6cbf14d0 __FF_MSGBANNER 60 API calls 13375->13376 13377 6cbef929 13376->13377 13380 6cbf1346 __amsg_exit 60 API calls 13377->13380 13378 6cbeb8aa __getstream 60 API calls 13379 6cbef955 13378->13379 13381 6cbef95c 13379->13381 13382 6cbef96b 13379->13382 13384 6cbef930 13380->13384 13385 6cbee2c9 _write_string 60 API calls 13381->13385 13386 6cbef9d0 __calloc_impl 60 API calls 13382->13386 13383->13328 13387 6cbebe5c __mtinitlocknum 3 API calls 13384->13387 13388 6cbef961 13385->13388 13389 6cbef972 13386->13389 13387->13390 13388->13383 13391 6cbef97a 13389->13391 13392 6cbef9a6 13389->13392 13390->13374 13390->13378 13394 6cbf1a18 ___crtInitCritSecAndSpinCount 60 API calls 13391->13394 13393 6cbeb293 __fclose_nolock 60 API calls 13392->13393 13395 6cbef997 13393->13395 13396 6cbef985 13394->13396 13412 6cbef9c2 13395->13412 13396->13395 13398 6cbeb293 __fclose_nolock 60 API calls 13396->13398 13399 6cbef991 13398->13399 13400 6cbee2c9 _write_string 60 API calls 13399->13400 13400->13395 13402 6cbee804 13401->13402 13403 6cbee810 EnterCriticalSection 13401->13403 13404 6cbef9d0 __calloc_impl 60 API calls 13402->13404 13403->13328 13405 6cbee80d 13404->13405 13405->13328 13407 6cbee86b 13406->13407 13408 6cbee877 LeaveCriticalSection 13406->13408 13416 6cbef8ec LeaveCriticalSection 13407->13416 13408->13328 13410 6cbee874 13410->13328 13411->13371 13415 6cbef8ec LeaveCriticalSection 13412->13415 13414 6cbef9c9 13414->13388 13415->13414 13416->13410 13426 6cbf34e5 13417->13426 13419 6cbf35bd 13419->13355 13684 6cbf3804 13420->13684 13422 6cbeec52 13422->13350 13423 6cbf37e8 13422->13423 13697 6cbf35c7 13423->13697 13429 6cbf34f1 __calloc_impl 13426->13429 13427 6cbf34fd 13428 6cbee2c9 _write_string 60 API calls 13427->13428 13431 6cbf3502 13428->13431 13429->13427 13430 6cbf352e 13429->13430 13437 6cbf2e97 13430->13437 13433 6cbee272 __fclose_nolock 5 API calls 13431->13433 13436 6cbf3511 __calloc_impl 13433->13436 13436->13419 13438 6cbf2ec2 13437->13438 13520 6cbf5d0a 13438->13520 13441 6cbf2eed 13526 6cbebe9b 13441->13526 13442 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 13442->13441 13445 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 13450 6cbf2f08 13445->13450 13446 6cbf2f3e 13447 6cbee2e1 __lseeki64 60 API calls 13446->13447 13448 6cbf2f43 13447->13448 13449 6cbee2c9 _write_string 60 API calls 13448->13449 13451 6cbf2f4d 13449->13451 13450->13446 13453 6cbf2fec 13450->13453 13452 6cbee272 __fclose_nolock 5 API calls 13451->13452 13532 6cbf2b64 13453->13532 13521 6cbf5d19 13520->13521 13522 6cbf2ede 13520->13522 13523 6cbee2c9 _write_string 60 API calls 13521->13523 13522->13441 13522->13442 13524 6cbf5d1e 13523->13524 13525 6cbee272 __fclose_nolock 5 API calls 13524->13525 13525->13522 13527 6cbebeaa 13526->13527 13528 6cbee2c9 _write_string 60 API calls 13527->13528 13529 6cbebebf 13527->13529 13530 6cbebeaf 13528->13530 13529->13445 13529->13450 13531 6cbee272 __fclose_nolock 5 API calls 13530->13531 13531->13529 13533 6cbf2b70 __calloc_impl 13532->13533 13534 6cbef908 __mtinitlocknum 60 API calls 13533->13534 13535 6cbf2b80 13534->13535 13536 6cbef9d0 __calloc_impl 60 API calls 13535->13536 13537 6cbf2b85 __calloc_impl 13535->13537 13685 6cbf381b 13684->13685 13688 6cbf3814 __fassign 13684->13688 13686 6cbeb670 x_ismbbtype_l 70 API calls 13685->13686 13687 6cbf3827 13686->13687 13687->13688 13689 6cbf385a 13687->13689 13690 6cbf3888 13687->13690 13688->13422 13691 6cbee2c9 _write_string 60 API calls 13689->13691 13690->13688 13693 6cbee2c9 _write_string 60 API calls 13690->13693 13692 6cbf385f 13691->13692 13694 6cbee272 __fclose_nolock 5 API calls 13692->13694 13695 6cbf3895 13693->13695 13694->13688 13696 6cbee272 __fclose_nolock 5 API calls 13695->13696 13696->13688 13698 6cbeb670 x_ismbbtype_l 70 API calls 13697->13698 13699 6cbf35db 13698->13699 13700 6cbf35e4 13699->13700 13701 6cbf3613 13699->13701 13702 6cbee2c9 _write_string 60 API calls 13700->13702 13703 6cbf361b 13701->13703 13704 6cbf364a 13701->13704 13706 6cbf35e9 13702->13706 13707 6cbee2c9 _write_string 60 API calls 13703->13707 13705 6cbf3652 13704->13705 13715 6cbf3676 13704->13715 13717 6cbf5d48 13705->13717 13709 6cbee272 __fclose_nolock 5 API calls 13706->13709 13710 6cbf3620 13707->13710 13716 6cbeec67 13709->13716 13711 6cbee272 __fclose_nolock 5 API calls 13710->13711 13711->13716 13712 6cbf47c0 95 API calls ___crtLCMapStringA 13712->13715 13713 6cbf379b 13714 6cbee2c9 _write_string 60 API calls 13713->13714 13714->13716 13715->13712 13715->13713 13715->13716 13716->13362 13716->13365 13718 6cbeb670 x_ismbbtype_l 70 API calls 13717->13718 13719 6cbf5d5c 13718->13719 13720 6cbf5d63 13719->13720 13721 6cbf5d91 13719->13721 13723 6cbee2c9 _write_string 60 API calls 13720->13723 13722 6cbf5d99 13721->13722 13731 6cbf5dc4 13721->13731 13724 6cbee2c9 _write_string 60 API calls 13722->13724 13725 6cbf5d68 13723->13725 13726 6cbf5d9e 13724->13726 13727 6cbee272 __fclose_nolock 5 API calls 13725->13727 13728 6cbee272 __fclose_nolock 5 API calls 13726->13728 13729 6cbf5d78 __stricmp_l 13727->13729 13728->13729 13729->13716 13730 6cbf11b5 95 API calls __stricmp_l 13730->13731 13731->13729 13731->13730 13733 6cbee84d LeaveCriticalSection 13732->13733 13734 6cbee835 13732->13734 13733->13368 13734->13733 13735 6cbee83c 13734->13735 13738 6cbef8ec LeaveCriticalSection 13735->13738 13737 6cbee84a 13737->13368 13738->13737 13740 6cbeacb8 13739->13740 13741 6cbead32 13739->13741 13740->13741 13742 6cbeacbd 13740->13742 13743 6cbee2c9 _write_string 60 API calls 13741->13743 13744 6cbeacce GetLocalTime 13742->13744 13745 6cbeacc5 13742->13745 13746 6cbeacca 13743->13746 13748 6cbd99bc 13744->13748 13747 6cbee2c9 _write_string 60 API calls 13745->13747 13749 6cbee272 __fclose_nolock 5 API calls 13746->13749 13747->13746 13748->13254 13749->13748 13751 6cbeac62 13750->13751 13752 6cbeabf1 13750->13752 13753 6cbee2c9 _write_string 60 API calls 13751->13753 13752->13751 13754 6cbeabf6 13752->13754 13758 6cbeac04 13753->13758 13755 6cbeabff 13754->13755 13756 6cbeac08 GetLocalTime 13754->13756 13757 6cbee2c9 _write_string 60 API calls 13755->13757 13760 6cbd99c5 13756->13760 13757->13758 13759 6cbee272 __fclose_nolock 5 API calls 13758->13759 13759->13760 13760->12600 13760->12601 13762 6cbee7ce 13761->13762 13763 6cbee7e6 EnterCriticalSection 13761->13763 13762->13763 13764 6cbee7d5 13762->13764 13763->13267 13765 6cbef9d0 __calloc_impl 60 API calls 13764->13765 13766 6cbee7e3 13765->13766 13766->13267 13768 6cbee4d0 __fileno 60 API calls 13767->13768 13769 6cbee89a 13768->13769 13770 6cbf25ec _fprintf 60 API calls 13769->13770 13771 6cbee8a0 13770->13771 13772 6cbeab93 13771->13772 13773 6cbee8de 13771->13773 13776 6cbee95b 13772->13776 13774 6cbeb8aa __getstream 60 API calls 13773->13774 13775 6cbee8e4 13774->13775 13775->13772 13778 6cbeaba3 13776->13778 13782 6cbee97d 13776->13782 13777 6cbed391 _write_multi_char 94 API calls 13777->13782 13784 6cbee923 13778->13784 13780 6cbee4d0 __fileno 60 API calls 13780->13782 13782->13777 13782->13778 13782->13780 13783 6cbf24b7 __locking 94 API calls 13782->13783 13791 6cbef290 13782->13791 13795 6cbee53d 13782->13795 13783->13782 13785 6cbee92e 13784->13785 13787 6cbeabad 13784->13787 13786 6cbee53d __fclose_nolock 94 API calls 13785->13786 13785->13787 13786->13787 13788 6cbeabd1 13787->13788 13789 6cbee824 _fprintf 2 API calls 13788->13789 13792 6cbef2a8 13791->13792 13793 6cbef2cf __VEC_memcpy 13792->13793 13794 6cbef2d7 13792->13794 13793->13794 13794->13782 13796 6cbee556 13795->13796 13800 6cbee577 13795->13800 13797 6cbee4d0 __fileno 60 API calls 13796->13797 13796->13800 13798 6cbee570 13797->13798 13800->13782 13802 6cbea9a8 13801->13802 13803 6cbea9c4 13801->13803 13804 6cbee2c9 _write_string 60 API calls 13802->13804 13805 6cbee53d __fclose_nolock 94 API calls 13803->13805 13809 6cbea9bd 13803->13809 13806 6cbea9ad 13804->13806 13808 6cbea9d0 13805->13808 13807 6cbee272 __fclose_nolock 5 API calls 13806->13807 13807->13809 13820 6cbee507 13808->13820 13817 6cbeaa84 13809->13817 13818 6cbee824 _fprintf 2 API calls 13817->13818 13864 6cbd9ab4 GetWindowsDirectoryA 13863->13864 13865 6cbd9b4b 13863->13865 13867 6cbd9adb 13864->13867 13868 6cbd9acb OutputDebugStringA 13864->13868 13866 6cbeae4e 150 API calls 13865->13866 13865->13868 13869 6cbd9b5d 13866->13869 13871 6cbd9894 96 API calls 13867->13871 13873 6cbd9b7c 13868->13873 13869->13868 13872 6cbd9b6f 13869->13872 13874 6cbd9af9 13871->13874 13875 6cbeaa91 97 API calls 13872->13875 13877 6cbeae6a ___ansicp 4 API calls 13873->13877 13874->13868 13876 6cbd9b07 CreateDirectoryA 13874->13876 13881 6cbd9b76 13875->13881 13878 6cbd9b2e 13876->13878 13879 6cbd9b1a GetLastError 13876->13879 13880 6cbd9b8b 13877->13880 13882 6cbd9894 96 API calls 13878->13882 13879->13868 13879->13878 13880->12515 13883 6cbeaa10 99 API calls 13881->13883 13882->13865 13883->13873 15675 6cbe9ea9 15676 6cbe9ebb 15675->15676 15679 6cbe9683 15676->15679 15680 6cbd9a40 160 API calls 15679->15680 15681 6cbe9698 15680->15681 15682 6cbe9ee3 15683 6cbe9ef5 15682->15683 15686 6cbe96a6 15683->15686 15687 6cbd9a40 160 API calls 15686->15687 15688 6cbe96bb 15687->15688 15691 6cbe9e01 15688->15691 15692 6cbe96cd 15691->15692 15693 6cbe9e10 GetDlgItem SendMessageA SendMessageA SendMessageA 15691->15693 15693->15692 15694 6cbe9f63 15695 6cbe9f90 15694->15695 15700 6cbe970a 15695->15700 15698 6cbeae6a ___ansicp 4 API calls 15699 6cbe9ff4 15698->15699 15702 6cbe9718 15700->15702 15704 6cbe972b 15700->15704 15701 6cbe9748 15701->15698 15703 6cbd9a40 160 API calls 15702->15703 15702->15704 15703->15704 15704->15701 15706 6cbea20f 15704->15706 15707 6cbea236 15706->15707 15708 6cbea2e1 15706->15708 15707->15708 15709 6cbea244 GetDlgItem SendMessageA 15707->15709 15710 6cbeae6a ___ansicp 4 API calls 15708->15710 15709->15708 15712 6cbea266 15709->15712 15711 6cbea2ed 15710->15711 15711->15701 15712->15708 15713 6cbea2bf SetDlgItemTextA 15712->15713 15714 6cbda2e4 96 API calls 15712->15714 15713->15708 15714->15713 13884 6cbe715c 13886 6cbe71d7 _memset 13884->13886 13885 6cbe71f1 13985 6cbda395 13885->13985 13886->13885 13887 6cbe7242 13886->13887 13890 6cbd9bc1 167 API calls 13887->13890 13908 6cbe723d 13890->13908 13891 6cbe721b 13894 6cbd9bc1 167 API calls 13891->13894 13894->13908 13895 6cbeae6a ___ansicp 4 API calls 13898 6cbe7270 13895->13898 13896 6cbe72f5 13897 6cbd9a40 160 API calls 13896->13897 13903 6cbe7306 _memset 13897->13903 13899 6cbda395 167 API calls 13900 6cbe729d 13899->13900 13900->13891 13901 6cbe72be 13900->13901 13902 6cbda3eb 169 API calls 13901->13902 13904 6cbe72cb 13902->13904 14004 6cbd9ea5 CompareStringA 13903->14004 13904->13896 13905 6cbe72cf 13904->13905 13907 6cbd9bc1 167 API calls 13905->13907 13907->13908 13908->13895 13909 6cbe7341 13910 6cbe7345 13909->13910 13911 6cbe7353 13909->13911 14180 6cbdd02d 13910->14180 14005 6cbe680f 13911->14005 13916 6cbe73ad _memset 14040 6cbe0243 13916->14040 13917 6cbe73b2 13920 6cbd9a40 160 API calls 13917->13920 13918 6cbe7392 13919 6cbd9bc1 167 API calls 13918->13919 13919->13916 13920->13916 13927 6cbd9a40 160 API calls 13933 6cbe7449 13927->13933 13928 6cbe74f8 14107 6cbe991a 13928->14107 13933->13928 13936 6cbdb0a6 169 API calls 13933->13936 13946 6cbd9bc1 167 API calls 13933->13946 14188 6cbe9870 13933->14188 14196 6cbeaec2 13933->14196 14201 6cbdd53c 13933->14201 13936->13933 13946->13933 14249 6cbda2e4 13985->14249 13988 6cbda3d8 13988->13891 13990 6cbda3eb 13988->13990 13989 6cbd9bc1 167 API calls 13989->13988 13991 6cbda450 13990->13991 13992 6cbda413 13990->13992 13996 6cbda480 FindFirstFileA 13991->13996 13997 6cbda45f 13991->13997 14253 6cbda342 13992->14253 13995 6cbda41e 13998 6cbd9bc1 167 API calls 13995->13998 14000 6cbda43b 13996->14000 14001 6cbda499 FindClose 13996->14001 13999 6cbd9bc1 167 API calls 13997->13999 13998->14000 13999->14000 14002 6cbeae6a ___ansicp 4 API calls 14000->14002 14001->14000 14003 6cbda44c 14002->14003 14003->13896 14003->13899 14004->13909 14006 6cbe6860 14005->14006 14007 6cbda3eb 169 API calls 14006->14007 14008 6cbe686f 14007->14008 14009 6cbe68a1 14008->14009 14258 6cbdc99a 14008->14258 14011 6cbeae6a ___ansicp 4 API calls 14009->14011 14013 6cbe6c80 14011->14013 14013->13916 14013->13917 14013->13918 14014 6cbe68ac 14017 6cbe6bea 14014->14017 14018 6cbd9a40 160 API calls 14014->14018 14015 6cbe6886 14016 6cbd9bc1 167 API calls 14015->14016 14016->14009 14019 6cbd9bc1 167 API calls 14017->14019 14027 6cbe68d4 _strnlen 14018->14027 14020 6cbe6a34 14019->14020 14020->14009 14021 6cbeb293 __fclose_nolock 60 API calls 14020->14021 14021->14009 14022 6cbd9ea5 CompareStringA 14022->14027 14025 6cbd9bc1 167 API calls 14025->14027 14027->14017 14027->14020 14027->14022 14027->14025 14028 6cbd9a40 160 API calls 14027->14028 14029 6cbdca59 60 API calls 14027->14029 14037 6cbe6b45 14027->14037 14273 6cbdcb87 14027->14273 14283 6cbe1f44 14027->14283 14323 6cbdd792 GetPrivateProfileStringA 14027->14323 14333 6cbe5cd5 14027->14333 14028->14027 14029->14027 14031 6cbd9a40 160 API calls 14031->14037 14035 6cbe6bb3 GetPrivateProfileStringA 14036 6cbe6c14 14035->14036 14035->14037 14038 6cbd9bc1 167 API calls 14036->14038 14037->14020 14037->14027 14037->14031 14037->14035 14347 6cbda6ad 14037->14347 14354 6cbdcf6c 14037->14354 14361 6cbe3811 14037->14361 14039 6cbe6c37 14038->14039 14039->14020 14894 6cbdb92a 14040->14894 14043 6cbdc2b0 183 API calls 14048 6cbe0283 14043->14048 14044 6cbeae6a ___ansicp 4 API calls 14045 6cbe0359 14044->14045 14058 6cbe129b 14045->14058 14046 6cbe028b 14047 6cbd9bc1 167 API calls 14046->14047 14049 6cbe02a6 14047->14049 14048->14046 14050 6cbe02df 14048->14050 14051 6cbe0304 WideCharToMultiByte 14048->14051 14056 6cbdc4c7 169 API calls 14049->14056 14054 6cbd9bc1 167 API calls 14050->14054 14052 6cbe0324 GetLastError 14051->14052 14053 6cbe0340 14051->14053 14052->14046 14055 6cbdc4c7 169 API calls 14053->14055 14054->14049 14057 6cbe02b7 14055->14057 14056->14057 14057->14044 14059 6cbdc936 169 API calls 14058->14059 14060 6cbe12b1 14059->14060 14061 6cbe1459 14060->14061 14062 6cbe12b9 14060->14062 14095 6cbea2f6 14061->14095 14063 6cbdb0f6 171 API calls 14062->14063 14064 6cbe12c5 14063->14064 14064->14061 14065 6cbdb0f6 171 API calls 14064->14065 14066 6cbe12df 14065->14066 14066->14061 14067 6cbdb0f6 171 API calls 14066->14067 14068 6cbe12f9 14067->14068 14068->14061 14069 6cbdb0f6 171 API calls 14068->14069 14070 6cbe1313 14069->14070 14070->14061 14071 6cbdb0f6 171 API calls 14070->14071 14072 6cbe132d 14071->14072 14072->14061 14073 6cbdb0f6 171 API calls 14072->14073 14074 6cbe1347 14073->14074 14074->14061 14075 6cbdb0f6 171 API calls 14074->14075 14096 6cbd9a40 160 API calls 14095->14096 14097 6cbea31e CreateEventA CoInitialize 14096->14097 14098 6cbea38c 14097->14098 14099 6cbea399 CoCreateInstance 14097->14099 14101 6cbd9a40 160 API calls 14098->14101 14100 6cbea3b1 14099->14100 14105 6cbea3d0 14099->14105 14102 6cbd9bc1 167 API calls 14100->14102 14103 6cbea397 14101->14103 14104 6cbe7437 14102->14104 14103->14099 14104->13927 14104->13933 14105->14104 14106 6cbd9bc1 167 API calls 14105->14106 14106->14104 14108 6cbd9a40 160 API calls 14107->14108 14111 6cbe992d 14108->14111 14109 6cbe9937 14110 6cbd9bc1 167 API calls 14109->14110 14115 6cbe7516 14110->14115 14111->14109 14112 6cbe99c2 14111->14112 14113 6cbe99e7 14112->14113 14112->14115 14117 6cbe9a0f 14112->14117 14181 6cbdd057 14180->14181 14186 6cbdd04c 14180->14186 14918 6cbdd008 14181->14918 14184 6cbeae6a ___ansicp 4 API calls 14187 6cbdd093 14184->14187 14185 6cbdd060 GetVersionExA 14185->14186 14186->14184 14187->13911 14189 6cbd9a40 160 API calls 14188->14189 14190 6cbe9885 14189->14190 14191 6cbe98c0 CoUninitialize 14190->14191 14192 6cbd9bc1 167 API calls 14190->14192 14194 6cbe98eb Sleep 14191->14194 14195 6cbe98e4 CloseHandle 14191->14195 14192->14191 14194->13933 14195->14194 14198 6cbeaeca 14196->14198 14197 6cbeb8aa __getstream 60 API calls 14197->14198 14198->14197 14199 6cbeaee6 14198->14199 14200 6cbef0a3 __calloc_impl 4 API calls 14198->14200 14199->13933 14200->14198 14202 6cbdc936 169 API calls 14201->14202 14203 6cbdd552 14202->14203 14204 6cbdd5a4 14203->14204 14205 6cbdb0f6 171 API calls 14203->14205 14204->13933 14206 6cbdd562 14205->14206 14206->14204 14207 6cbdb0f6 171 API calls 14206->14207 14250 6cbda2f2 14249->14250 14251 6cbea972 _vswprintf_s 96 API calls 14250->14251 14252 6cbda31c 14250->14252 14251->14252 14252->13988 14252->13989 14254 6cbda2e4 96 API calls 14253->14254 14255 6cbda35f 14254->14255 14256 6cbda382 14255->14256 14257 6cbd9bc1 167 API calls 14255->14257 14256->13995 14256->13996 14257->14256 14259 6cbda3eb 169 API calls 14258->14259 14260 6cbdc9ae 14259->14260 14261 6cbdc9b2 14260->14261 14264 6cbdc9d5 14260->14264 14262 6cbd9bc1 167 API calls 14261->14262 14272 6cbdc9cd 14262->14272 14265 6cbdc9ef GetPrivateProfileSectionNamesA 14264->14265 14266 6cbdca09 14264->14266 14407 6cbeb326 14264->14407 14265->14264 14267 6cbdca38 14265->14267 14268 6cbd9bc1 167 API calls 14266->14268 14270 6cbd9a40 160 API calls 14267->14270 14267->14272 14269 6cbdca21 14268->14269 14271 6cbeb293 __fclose_nolock 60 API calls 14269->14271 14269->14272 14270->14272 14271->14272 14272->14014 14272->14015 14274 6cbdcba8 14273->14274 14452 6cbeb57d 14274->14452 14277 6cbdcbe0 14277->14027 14278 6cbeb57d 60 API calls 14279 6cbdcbef 14278->14279 14279->14277 14280 6cbdcc0d 14279->14280 14281 6cbeb57d 60 API calls 14279->14281 14280->14277 14282 6cbeb57d 60 API calls 14280->14282 14281->14280 14282->14277 14284 6cbe1f7f _memset 14283->14284 14285 6cbe1f8c 14284->14285 14286 6cbe1fb1 GetSystemDirectoryA 14284->14286 14287 6cbd9bc1 167 API calls 14285->14287 14288 6cbe1fce GetLastError 14286->14288 14289 6cbe1ff3 14286->14289 14299 6cbe1fa7 14287->14299 14290 6cbd9bc1 167 API calls 14288->14290 14291 6cbda3eb 169 API calls 14289->14291 14290->14299 14292 6cbe2004 14291->14292 14293 6cbe200c 14292->14293 14294 6cbe21e2 14292->14294 14296 6cbeaec2 60 API calls 14293->14296 14298 6cbd9a40 160 API calls 14294->14298 14295 6cbeae6a ___ansicp 4 API calls 14297 6cbe2200 14295->14297 14300 6cbe2016 14296->14300 14297->14027 14298->14299 14299->14295 14301 6cbe2022 14300->14301 14460 6cbe1e22 14300->14460 14303 6cbe21ae 14301->14303 14307 6cbe2038 14301->14307 14304 6cbd9bc1 167 API calls 14303->14304 14305 6cbe21c9 14304->14305 14305->14299 14306 6cbdb0a6 169 API calls 14305->14306 14306->14299 14308 6cbe2083 14307->14308 14309 6cbe20a1 14307->14309 14311 6cbd9a40 160 API calls 14307->14311 14310 6cbd9a40 160 API calls 14308->14310 14313 6cbd9bc1 167 API calls 14309->14313 14315 6cbe2094 14310->14315 14312 6cbe20bf 14311->14312 14312->14308 14314 6cbe20ff 14312->14314 14313->14315 14314->14309 14316 6cbe2127 14314->14316 14318 6cbe2183 14315->14318 14319 6cbda342 167 API calls 14315->14319 14321 6cbe2171 14315->14321 14317 6cbd9a40 160 API calls 14316->14317 14317->14315 14320 6cbdb0a6 169 API calls 14318->14320 14319->14321 14320->14299 14477 6cbdc82d 14321->14477 14324 6cbdd7dc 14323->14324 14326 6cbdd802 14323->14326 14325 6cbd9bc1 167 API calls 14324->14325 14329 6cbdd7fb 14325->14329 14327 6cbdc82d 60 API calls 14326->14327 14328 6cbdd82a 14327->14328 14328->14329 14330 6cbd9bc1 167 API calls 14328->14330 14331 6cbeae6a ___ansicp 4 API calls 14329->14331 14330->14329 14332 6cbdd864 14331->14332 14332->14027 14334 6cbeaec2 60 API calls 14333->14334 14335 6cbe5ce8 14334->14335 14336 6cbe5cf7 14335->14336 14508 6cbdd3f9 14335->14508 14338 6cbe5d1c 14336->14338 14340 6cbe5d05 14336->14340 14339 6cbd9bc1 167 API calls 14338->14339 14342 6cbe5d0c 14339->14342 14515 6cbe4094 14340->14515 14345 6cbe5d4a 14342->14345 14529 6cbdc4c7 14342->14529 14535 6cbe2bb5 14345->14535 14348 6cbda6cc 14347->14348 14349 6cbda6d7 GetVersionExA 14347->14349 14350 6cbeae6a ___ansicp 4 API calls 14348->14350 14349->14348 14352 6cbda6f7 14349->14352 14351 6cbda739 14350->14351 14351->14037 14352->14348 14781 6cbda691 14352->14781 14355 6cbdcf8b 14354->14355 14356 6cbdcf96 GetVersionExA 14354->14356 14357 6cbeae6a ___ansicp 4 API calls 14355->14357 14356->14355 14359 6cbdcfb6 14356->14359 14358 6cbdd001 14357->14358 14358->14037 14359->14355 14360 6cbda691 180 API calls 14359->14360 14360->14355 14878 6cbeaef0 14361->14878 14363 6cbe3858 GetSystemDirectoryA 14364 6cbe3878 GetLastError 14363->14364 14365 6cbe38a1 14363->14365 14366 6cbd9bc1 167 API calls 14364->14366 14367 6cbda342 167 API calls 14365->14367 14395 6cbe3899 14366->14395 14368 6cbe38b9 14367->14368 14369 6cbe38bd 14368->14369 14370 6cbe38e7 14368->14370 14371 6cbd9bc1 167 API calls 14369->14371 14372 6cbda395 167 API calls 14370->14372 14371->14395 14374 6cbe38fe 14372->14374 14373 6cbeae6a ___ansicp 4 API calls 14375 6cbe3b7f 14373->14375 14376 6cbe3902 14374->14376 14377 6cbda2e4 96 API calls 14374->14377 14375->14037 14378 6cbd9bc1 167 API calls 14376->14378 14379 6cbe3949 14377->14379 14378->14395 14379->14376 14380 6cbe3973 14379->14380 14880 6cbdce08 14380->14880 14395->14373 14408 6cbeb332 __calloc_impl 14407->14408 14409 6cbeb339 14408->14409 14410 6cbeb347 14408->14410 14411 6cbeb8aa __getstream 60 API calls 14409->14411 14412 6cbeb34e 14410->14412 14413 6cbeb35a 14410->14413 14415 6cbeb341 14411->14415 14414 6cbeb293 __fclose_nolock 60 API calls 14412->14414 14422 6cbeb4cc 14413->14422 14446 6cbeb367 ___sbh_resize_block ___sbh_find_block 14413->14446 14419 6cbeb354 _realloc __calloc_impl 14414->14419 14415->14419 14416 6cbeb4ff 14417 6cbef0a3 __calloc_impl 4 API calls 14416->14417 14421 6cbeb505 14417->14421 14418 6cbef9d0 __calloc_impl 60 API calls 14418->14446 14419->14264 14420 6cbeb4d1 HeapReAlloc 14420->14419 14420->14422 14424 6cbee2c9 _write_string 60 API calls 14421->14424 14422->14416 14422->14420 14423 6cbeb523 14422->14423 14425 6cbef0a3 __calloc_impl 4 API calls 14422->14425 14427 6cbeb519 14422->14427 14423->14419 14426 6cbee2c9 _write_string 60 API calls 14423->14426 14424->14419 14425->14422 14428 6cbeb52c GetLastError 14426->14428 14430 6cbee2c9 _write_string 60 API calls 14427->14430 14428->14419 14432 6cbeb49a 14430->14432 14431 6cbeb3f2 HeapAlloc 14443 6cbeb3ec 14431->14443 14431->14446 14432->14419 14433 6cbeb49f GetLastError 14432->14433 14433->14419 14434 6cbeb447 HeapReAlloc 14434->14446 14435 6cbf0253 __calloc_impl 5 API calls 14435->14446 14436 6cbef290 _realloc __VEC_memcpy 14436->14443 14437 6cbeb4b2 14437->14419 14440 6cbee2c9 _write_string 60 API calls 14437->14440 14438 6cbef0a3 __calloc_impl 4 API calls 14438->14446 14439 6cbefa90 _realloc 3 API calls 14439->14443 14444 6cbeb4bf 14440->14444 14441 6cbeb495 14445 6cbee2c9 _write_string 60 API calls 14441->14445 14442 6cbef290 _realloc __VEC_memcpy 14442->14446 14443->14431 14443->14436 14443->14439 14443->14446 14444->14419 14444->14428 14445->14432 14446->14416 14446->14418 14446->14419 14446->14431 14446->14434 14446->14435 14446->14437 14446->14438 14446->14441 14446->14442 14446->14443 14447 6cbefa90 _realloc 3 API calls 14446->14447 14448 6cbeb46a 14446->14448 14447->14446 14451 6cbef8ec LeaveCriticalSection 14448->14451 14450 6cbeb471 14450->14446 14451->14450 14453 6cbeb5a6 14452->14453 14454 6cbee2c9 _write_string 60 API calls 14453->14454 14457 6cbeb5bb 14453->14457 14455 6cbeb5ab 14454->14455 14456 6cbee272 __fclose_nolock 5 API calls 14455->14456 14456->14457 14458 6cbeae6a ___ansicp 4 API calls 14457->14458 14459 6cbdcbd4 14458->14459 14459->14277 14459->14278 14489 6cbdc936 14460->14489 14476 6cbe1ed4 14476->14301 14478 6cbdc86a 14477->14478 14479 6cbeb57d 60 API calls 14478->14479 14506 6cbda24e 14489->14506 14491 6cbdc94f LoadLibraryA 14492 6cbdc95f GetLastError 14491->14492 14493 6cbdc987 14491->14493 14494 6cbd9bc1 167 API calls 14492->14494 14493->14476 14495 6cbdb0f6 14493->14495 14494->14493 14496 6cbdb10b GetProcAddress 14495->14496 14497 6cbdb185 14495->14497 14499 6cbdb120 GetLastError 14496->14499 14500 6cbdb17c 14496->14500 14498 6cbd9bc1 167 API calls 14497->14498 14498->14500 14500->14476 14507 6cbda25a 14506->14507 14507->14491 14556 6cbdc2b0 LoadLibraryA 14508->14556 14511 6cbda395 167 API calls 14513 6cbdd423 14511->14513 14512 6cbdd446 14512->14336 14513->14512 14514 6cbd9bc1 167 API calls 14513->14514 14514->14512 14583 6cbdc760 14515->14583 14518 6cbe40bb 14521 6cbd9bc1 167 API calls 14518->14521 14519 6cbe40e3 14520 6cbe412f 14519->14520 14526 6cbe40e7 _strnlen 14519->14526 14522 6cbd9a40 160 API calls 14520->14522 14525 6cbe40d8 14521->14525 14523 6cbe412d 14522->14523 14524 6cbeb293 __fclose_nolock 60 API calls 14523->14524 14523->14525 14524->14525 14525->14342 14526->14523 14528 6cbd9a40 160 API calls 14526->14528 14598 6cbe3fca 14526->14598 14528->14526 14530 6cbdc4cd FreeLibrary 14529->14530 14531 6cbdc4fe 14529->14531 14530->14531 14532 6cbdc4d8 GetLastError 14530->14532 14531->14345 14532->14531 14533 6cbdc4e2 14532->14533 14534 6cbd9bc1 167 API calls 14533->14534 14534->14531 14536 6cbe1f44 179 API calls 14535->14536 14537 6cbe2bf2 14536->14537 14538 6cbe2c33 14537->14538 14539 6cbda395 167 API calls 14537->14539 14541 6cbeae6a ___ansicp 4 API calls 14538->14541 14540 6cbe2c12 14539->14540 14542 6cbe2c16 14540->14542 14545 6cbe2c3e 14540->14545 14543 6cbe2d2d 14541->14543 14544 6cbd9bc1 167 API calls 14542->14544 14543->14027 14544->14538 14546 6cbe2c87 14545->14546 14737 6cbdf7a7 RegOpenKeyExA 14545->14737 14546->14538 14548 6cbdf7a7 184 API calls 14546->14548 14550 6cbe2c8d 14546->14550 14549 6cbe2ccc 14548->14549 14549->14550 14551 6cbe2ce5 14549->14551 14552 6cbd9bc1 167 API calls 14550->14552 14551->14538 14552->14538 14557 6cbdc2dc GetLastError 14556->14557 14558 6cbdc309 GetProcAddress 14556->14558 14559 6cbd9bc1 167 API calls 14557->14559 14560 6cbdc341 14558->14560 14561 6cbdc321 GetLastError 14558->14561 14562 6cbdc301 14559->14562 14563 6cbdc415 14560->14563 14566 6cbdc35f GetProcAddress 14560->14566 14561->14563 14562->14511 14564 6cbd9bc1 167 API calls 14563->14564 14565 6cbdc42d 14564->14565 14567 6cbdc430 FreeLibrary 14565->14567 14568 6cbdc38e GetProcAddress 14566->14568 14569 6cbdc36e GetLastError 14566->14569 14570 6cbdc460 14567->14570 14571 6cbdc442 GetLastError 14567->14571 14572 6cbdc39e GetLastError 14568->14572 14573 6cbdc3bb GetProcAddress 14568->14573 14569->14563 14570->14562 14577 6cbdc47f FreeLibrary 14570->14577 14571->14570 14574 6cbdc44c 14571->14574 14572->14563 14575 6cbdc3e8 GetProcAddress 14573->14575 14576 6cbdc3cb GetLastError 14573->14576 14578 6cbd9bc1 167 API calls 14574->14578 14575->14567 14579 6cbdc3f8 GetLastError 14575->14579 14576->14563 14577->14562 14580 6cbdc48a GetLastError 14577->14580 14578->14570 14579->14563 14580->14562 14581 6cbdc494 14580->14581 14582 6cbd9bc1 167 API calls 14581->14582 14582->14562 14584 6cbda3eb 169 API calls 14583->14584 14585 6cbdc77a 14584->14585 14586 6cbdc77e 14585->14586 14587 6cbdc7a4 14585->14587 14589 6cbd9bc1 167 API calls 14586->14589 14588 6cbeb326 _realloc 66 API calls 14587->14588 14590 6cbdc7b8 GetPrivateProfileSectionA 14587->14590 14591 6cbdc7d5 14587->14591 14588->14587 14595 6cbdc79c 14589->14595 14590->14587 14592 6cbdc808 14590->14592 14593 6cbd9bc1 167 API calls 14591->14593 14592->14595 14596 6cbd9a40 160 API calls 14592->14596 14594 6cbdc7f4 14593->14594 14594->14595 14597 6cbeb293 __fclose_nolock 60 API calls 14594->14597 14595->14518 14595->14519 14596->14595 14597->14595 14607 6cbe1b7b MultiByteToWideChar 14598->14607 14608 6cbe1bb7 GetLastError 14607->14608 14609 6cbe1be0 14607->14609 14610 6cbd9bc1 167 API calls 14608->14610 14619 6cbe1473 14609->14619 14738 6cbdf7fb RegOpenKeyExA 14737->14738 14750 6cbdf8e1 14737->14750 14739 6cbdf820 RegQueryValueExA RegCloseKey 14738->14739 14747 6cbdf89a 14738->14747 14741 6cbdf85d 14739->14741 14742 6cbdf870 14739->14742 14740 6cbdf911 14748 6cbeae6a ___ansicp 4 API calls 14740->14748 14742->14747 14745 6cbd9bc1 167 API calls 14745->14740 14749 6cbd9bc1 167 API calls 14747->14749 14753 6cbdf892 RegCloseKey 14747->14753 14749->14753 14750->14740 14750->14745 14753->14740 14753->14750 14786 6cbda4aa 14781->14786 14784 6cbda69f 14784->14348 14787 6cbda4d7 GetSystemDirectoryA 14786->14787 14794 6cbda4c9 14786->14794 14788 6cbda4ef 14787->14788 14789 6cbda567 GetLastError 14787->14789 14795 6cbda3eb 169 API calls 14788->14795 14791 6cbda527 14789->14791 14790 6cbeae6a ___ansicp 4 API calls 14793 6cbda5a0 14790->14793 14792 6cbd9bc1 167 API calls 14791->14792 14791->14794 14792->14794 14793->14784 14798 6cbda5a7 14793->14798 14794->14790 14796 6cbda510 14795->14796 14796->14794 14810 6cbda04b 14796->14810 14799 6cbda5d4 GetSystemDirectoryA 14798->14799 14800 6cbda5c6 14798->14800 14801 6cbda651 GetLastError 14799->14801 14803 6cbda5ec 14799->14803 14804 6cbeae6a ___ansicp 4 API calls 14800->14804 14802 6cbda624 14801->14802 14802->14800 14805 6cbd9bc1 167 API calls 14802->14805 14807 6cbda3eb 169 API calls 14803->14807 14806 6cbda68a 14804->14806 14805->14800 14806->14784 14808 6cbda60d 14807->14808 14808->14800 14809 6cbda04b 174 API calls 14808->14809 14809->14802 14811 6cbda060 _memset 14810->14811 14822 6cbd9f7a GetFileVersionInfoSizeA 14811->14822 14823 6cbd9f98 14822->14823 14824 6cbd9fca 14822->14824 14852 6cbd9ed4 14823->14852 14825 6cbeaec2 60 API calls 14824->14825 14827 6cbd9fd0 14825->14827 14829 6cbd9ff7 _memset 14827->14829 14830 6cbd9fd7 14827->14830 14836 6cbd9fff GetFileVersionInfoA 14829->14836 14833 6cbd9bc1 167 API calls 14830->14833 14831 6cbd9fb9 14832 6cbd9fa2 GetLastError 14853 6cbd9ee4 _strrchr 14852->14853 14854 6cbd9f65 14853->14854 14870 6cbd9ea5 CompareStringA 14853->14870 14854->14831 14854->14832 14856 6cbd9efc 14856->14854 14870->14856 14879 6cbeaefc __VEC_memzero 14878->14879 14879->14363 14881 6cbdc99a 175 API calls 14880->14881 14882 6cbdce24 14881->14882 14883 6cbdce29 14882->14883 14884 6cbdce4b 14882->14884 14895 6cbdb93f 14894->14895 14896 6cbdb94a 14894->14896 14895->14043 14895->14057 14897 6cbdb4d6 179 API calls 14896->14897 14898 6cbdb955 14897->14898 14898->14895 14899 6cbd9a40 160 API calls 14898->14899 14899->14895 14925 6cbda83c 14918->14925 14924 6cbdd01f 14924->14185 14924->14186 14926 6cbda85b 14925->14926 14927 6cbda866 GetVersionExA 14925->14927 14929 6cbeae6a ___ansicp 4 API calls 14926->14929 14927->14926 14928 6cbda886 14927->14928 14928->14926 14931 6cbda691 180 API calls 14928->14931 14930 6cbda8b5 14929->14930 14930->14924 14932 6cbda740 14930->14932 14931->14926 14933 6cbda75f 14932->14933 14934 6cbda76a GetVersionExA 14932->14934 14935 6cbeae6a ___ansicp 4 API calls 14933->14935 14936 6cbda78a 14934->14936 14938 6cbda7b7 14935->14938 14936->14933 14937 6cbda4aa 178 API calls 14936->14937 14937->14933 14938->14924 14939 6cbda7be 14938->14939 14940 6cbda7dd 14939->14940 14941 6cbda7e8 GetVersionExA 14939->14941 14944 6cbeae6a ___ansicp 4 API calls 14940->14944 14942 6cbda808 14941->14942 14942->14940 14943 6cbda5a7 178 API calls 14942->14943 14943->14940 14945 6cbda835 14944->14945 14945->14924 17292 6cbdc01b 17293 6cbdc067 _memset 17292->17293 17294 6cbdc042 17292->17294 17296 6cbdc07f GetPrivateProfileStringA 17293->17296 17295 6cbd9bc1 167 API calls 17294->17295 17297 6cbdc05d 17295->17297 17298 6cbdc0df 17296->17298 17299 6cbdc0af 17296->17299 17303 6cbeae6a ___ansicp 4 API calls 17297->17303 17298->17294 17301 6cbdc0fd 17298->17301 17300 6cbd9bc1 167 API calls 17299->17300 17300->17297 17302 6cbd9a40 160 API calls 17301->17302 17304 6cbdc10f 17302->17304 17306 6cbdc151 17303->17306 17309 6cbdbd14 17304->17309 17308 6cbd9bc1 167 API calls 17308->17297 17310 6cbdbd5c 17309->17310 17311 6cbdbd37 17309->17311 17313 6cbd9a40 160 API calls 17310->17313 17312 6cbd9bc1 167 API calls 17311->17312 17320 6cbdbd52 17312->17320 17314 6cbdbd69 17313->17314 17317 6cbdbfde GetLastError 17314->17317 17336 6cbdbd8a _strnlen 17314->17336 17315 6cbeae6a ___ansicp 4 API calls 17316 6cbdc012 17315->17316 17316->17297 17316->17308 17318 6cbdbffa 17317->17318 17319 6cbd9bc1 167 API calls 17318->17319 17319->17320 17320->17315 17321 6cbdbe8b GetLastError 17322 6cbdbe9c 17321->17322 17323 6cbdbfa4 17321->17323 17326 6cbd9bc1 167 API calls 17322->17326 17324 6cbd9a40 160 API calls 17323->17324 17331 6cbdbf21 17324->17331 17325 6cbdbddc GetLastError 17325->17336 17326->17331 17327 6cbeaec2 60 API calls 17327->17336 17328 6cbdbfc8 GetLastError 17328->17318 17329 6cbdbf66 GetLastError 17330 6cbd9bc1 167 API calls 17329->17330 17330->17331 17331->17320 17331->17328 17333 6cbdbec0 17334 6cbd9a40 160 API calls 17333->17334 17335 6cbdbecd 17334->17335 17337 6cbdbef5 17335->17337 17338 6cbdbf40 GetLastError 17335->17338 17336->17321 17336->17322 17336->17325 17336->17327 17336->17329 17336->17333 17344 6cbd9ea5 CompareStringA 17336->17344 17341 6cbdbf2b GetLastError 17337->17341 17342 6cbdbf17 17337->17342 17339 6cbdbf53 17338->17339 17340 6cbd9bc1 167 API calls 17339->17340 17340->17331 17341->17339 17343 6cbd9a40 160 API calls 17342->17343 17343->17331 17344->17336 14946 6cbea48c 14947 6cbea4af GetVersionExA 14946->14947 14948 6cbea58d 14946->14948 14949 6cbea4d1 14947->14949 14965 6cbea4ca 14947->14965 14950 6cbea5c8 14948->14950 14951 6cbea593 14948->14951 14998 6cbed037 HeapCreate 14949->14998 14952 6cbea5cd 14950->14952 14953 6cbea619 14950->14953 14956 6cbea5b2 14951->14956 14951->14965 15132 6cbec08e 14951->15132 14954 6cbec1db ___set_flsgetvalue 6 API calls 14952->14954 14953->14965 15135 6cbec4f5 14953->15135 14958 6cbea5d2 14954->14958 14956->14965 15008 6cbeca94 14956->15008 14957 6cbeae6a ___ansicp 4 API calls 14962 6cbea634 14957->14962 14964 6cbec80f _fgets 60 API calls 14958->14964 14960 6cbea523 14960->14965 14966 6cbea528 14960->14966 14968 6cbea5de 14964->14968 14965->14957 15031 6cbec568 GetModuleHandleA 14966->15031 14968->14965 14972 6cbea5ea 14968->14972 14970 6cbea52d 14973 6cbea538 GetCommandLineA 14970->14973 14990 6cbea531 14970->14990 14975 6cbec162 __amsg_exit 4 API calls 14972->14975 15065 6cbece99 14973->15065 14979 6cbea5fc 14975->14979 14976 6cbed09c __heap_term 4 API calls 14997 6cbea536 14976->14997 14982 6cbea60d 14979->14982 14983 6cbea603 14979->14983 14986 6cbeb293 __fclose_nolock 60 API calls 14982->14986 14985 6cbec24c _raise 60 API calls 14983->14985 14984 6cbea552 14987 6cbea556 14984->14987 15106 6cbecdd9 14984->15106 14985->14997 14986->14997 14988 6cbec20a __mtterm 63 API calls 14987->14988 14988->14990 14990->14976 14992 6cbea576 14994 6cbeca94 61 API calls 14992->14994 14992->14997 14994->14987 14997->14965 14999 6cbed05f 14998->14999 15000 6cbed05b 14998->15000 15146 6cbecfd5 14999->15146 15000->14960 15003 6cbed06e 15155 6cbefa08 HeapAlloc 15003->15155 15004 6cbed092 15004->14960 15007 6cbed07d HeapDestroy 15007->15000 15012 6cbeca9d 15008->15012 15009 6cbea5bc 15013 6cbec20a 15009->15013 15010 6cbecab1 DeleteCriticalSection 15010->15012 15011 6cbeb293 __fclose_nolock 60 API calls 15011->15012 15012->15009 15012->15010 15012->15011 15014 6cbec22a 15013->15014 15015 6cbec214 15013->15015 15016 6cbec234 TlsFree 15014->15016 15019 6cbec242 15014->15019 15017 6cbec162 __amsg_exit 4 API calls 15015->15017 15016->15019 15018 6cbec220 15017->15018 15018->15014 15020 6cbef8ac DeleteCriticalSection 15019->15020 15021 6cbef8c4 15019->15021 15022 6cbeb293 __fclose_nolock 60 API calls 15020->15022 15023 6cbef8d6 DeleteCriticalSection 15021->15023 15024 6cbea5c1 15021->15024 15022->15019 15023->15021 15025 6cbed09c 15024->15025 15026 6cbed0fc HeapDestroy 15025->15026 15027 6cbed0a5 15025->15027 15026->14965 15028 6cbed0ea HeapFree 15027->15028 15029 6cbed0c1 VirtualFree HeapFree 15027->15029 15028->15026 15029->15029 15030 6cbed0e9 15029->15030 15030->15028 15032 6cbec57c 15031->15032 15033 6cbec585 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15031->15033 15034 6cbec20a __mtterm 63 API calls 15032->15034 15037 6cbec5cf TlsAlloc 15033->15037 15036 6cbec581 15034->15036 15036->14970 15038 6cbec67c 15037->15038 15039 6cbec619 TlsSetValue 15037->15039 15038->14970 15039->15038 15040 6cbec626 15039->15040 15163 6cbec0a2 15040->15163 15045 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15046 6cbec646 15045->15046 15047 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15046->15047 15048 6cbec656 15047->15048 15049 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15048->15049 15050 6cbec666 15049->15050 15177 6cbef83a 15050->15177 15053 6cbec677 15054 6cbec20a __mtterm 63 API calls 15053->15054 15054->15038 15055 6cbec162 __amsg_exit 4 API calls 15056 6cbec691 15055->15056 15056->15053 15057 6cbf1afb _raise 60 API calls 15056->15057 15058 6cbec6aa 15057->15058 15058->15053 15059 6cbec162 __amsg_exit 4 API calls 15058->15059 15060 6cbec6c4 15059->15060 15061 6cbec6cb 15060->15061 15062 6cbec6d4 15060->15062 15063 6cbeb293 __fclose_nolock 60 API calls 15061->15063 15064 6cbec24c _raise 60 API calls 15062->15064 15063->15053 15064->15038 15066 6cbeceb7 GetEnvironmentStringsW 15065->15066 15067 6cbeced6 15065->15067 15068 6cbecebf 15066->15068 15069 6cbececb GetLastError 15066->15069 15067->15068 15070 6cbecf6f 15067->15070 15071 6cbecef2 GetEnvironmentStringsW 15068->15071 15075 6cbecf01 15068->15075 15069->15067 15072 6cbecf78 GetEnvironmentStrings 15070->15072 15073 6cbea548 15070->15073 15071->15073 15071->15075 15072->15073 15074 6cbecf88 15072->15074 15091 6cbec855 15073->15091 15079 6cbeb8aa __getstream 60 API calls 15074->15079 15075->15075 15076 6cbecf16 WideCharToMultiByte 15075->15076 15077 6cbecf64 FreeEnvironmentStringsW 15076->15077 15078 6cbecf35 15076->15078 15077->15073 15080 6cbeb8aa __getstream 60 API calls 15078->15080 15081 6cbecfa2 15079->15081 15082 6cbecf3b 15080->15082 15083 6cbecfa9 FreeEnvironmentStringsA 15081->15083 15084 6cbecfb5 15081->15084 15082->15077 15085 6cbecf43 WideCharToMultiByte 15082->15085 15083->15073 15086 6cbef290 _realloc __VEC_memcpy 15084->15086 15087 6cbecf55 15085->15087 15088 6cbecf5d 15085->15088 15089 6cbecfbf FreeEnvironmentStringsA 15086->15089 15090 6cbeb293 __fclose_nolock 60 API calls 15087->15090 15088->15077 15089->15073 15090->15088 15190 6cbed1a0 15091->15190 15093 6cbec861 GetStartupInfoA 15094 6cbec80f _fgets 60 API calls 15093->15094 15102 6cbec882 15094->15102 15095 6cbeca86 __calloc_impl 15095->14984 15096 6cbeca02 GetStdHandle 15101 6cbec9cc 15096->15101 15097 6cbeca68 SetHandleCount 15097->15095 15098 6cbec80f _fgets 60 API calls 15098->15102 15099 6cbeca14 GetFileType 15099->15101 15100 6cbec94e 15100->15095 15100->15101 15104 6cbec977 GetFileType 15100->15104 15105 6cbf1a18 ___crtInitCritSecAndSpinCount 60 API calls 15100->15105 15101->15095 15101->15096 15101->15097 15101->15099 15103 6cbf1a18 ___crtInitCritSecAndSpinCount 60 API calls 15101->15103 15102->15095 15102->15098 15102->15100 15102->15101 15103->15101 15104->15100 15105->15100 15107 6cbecdee 15106->15107 15108 6cbecdf3 GetModuleFileNameA 15106->15108 15191 6cbf0e54 15107->15191 15110 6cbece1a 15108->15110 15195 6cbecbf2 15110->15195 15112 6cbea562 15112->14992 15117 6cbecae7 15112->15117 15114 6cbeb8aa __getstream 60 API calls 15115 6cbece5c 15114->15115 15115->15112 15116 6cbecbf2 70 API calls 15115->15116 15116->15112 15118 6cbecafa 15117->15118 15120 6cbecaff 15117->15120 15119 6cbf0e54 ___initmbctable 103 API calls 15118->15119 15119->15120 15120->15120 15121 6cbec80f _fgets 60 API calls 15120->15121 15122 6cbea56b 15120->15122 15126 6cbecb48 15121->15126 15122->14992 15128 6cbebf22 15122->15128 15123 6cbecbc6 15124 6cbeb293 __fclose_nolock 60 API calls 15123->15124 15124->15122 15125 6cbf1b4c __amsg_exit 60 API calls 15125->15126 15126->15122 15126->15123 15126->15125 15127 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 15126->15127 15127->15126 15129 6cbebf30 15128->15129 15412 6cbf1638 15129->15412 15131 6cbebf4e __initterm_e _doexit 15131->14992 15416 6cbebfa0 15132->15416 15134 6cbec099 15134->14956 15136 6cbec54e 15135->15136 15137 6cbec503 15135->15137 15138 6cbec558 TlsSetValue 15136->15138 15139 6cbec561 15136->15139 15140 6cbec509 TlsGetValue 15137->15140 15141 6cbec52c 15137->15141 15138->15139 15139->14965 15140->15141 15143 6cbec51c TlsGetValue 15140->15143 15142 6cbec162 __amsg_exit 4 API calls 15141->15142 15144 6cbec543 15142->15144 15143->15141 15436 6cbec3a5 15144->15436 15147 6cbebe9b __get_wpgmptr 60 API calls 15146->15147 15148 6cbecfee 15147->15148 15149 6cbecffd 15148->15149 15151 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 15148->15151 15157 6cbebedc 15149->15157 15151->15149 15153 6cbee1c7 ___crtInitCritSecAndSpinCount 5 API calls 15154 6cbed018 15153->15154 15154->15003 15154->15004 15156 6cbed078 15155->15156 15156->15004 15156->15007 15158 6cbebeeb 15157->15158 15159 6cbee2c9 _write_string 60 API calls 15158->15159 15160 6cbebf00 15158->15160 15161 6cbebef0 15159->15161 15160->15153 15160->15154 15162 6cbee272 __fclose_nolock 5 API calls 15161->15162 15162->15160 15181 6cbec154 15163->15181 15165 6cbec0aa __initp_misc_winsig 15184 6cbf179a 15165->15184 15168 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15169 6cbec0da 15168->15169 15170 6cbec0e9 TlsGetValue 15169->15170 15171 6cbec122 GetModuleHandleA 15170->15171 15172 6cbec101 15170->15172 15174 6cbec11a 15171->15174 15175 6cbec131 GetProcAddress 15171->15175 15172->15171 15173 6cbec10b TlsGetValue 15172->15173 15176 6cbec116 15173->15176 15174->15045 15175->15174 15176->15171 15176->15174 15178 6cbef845 15177->15178 15180 6cbec673 15178->15180 15187 6cbf1ae2 15178->15187 15180->15053 15180->15055 15182 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15181->15182 15183 6cbec15b 15182->15183 15183->15165 15185 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15184->15185 15186 6cbec0d0 15185->15186 15186->15168 15188 6cbf1a18 ___crtInitCritSecAndSpinCount 60 API calls 15187->15188 15189 6cbf1af2 15188->15189 15189->15178 15190->15093 15192 6cbf0e64 15191->15192 15193 6cbf0e5d 15191->15193 15192->15108 15201 6cbf0cb5 15193->15201 15197 6cbecc19 15195->15197 15200 6cbecc9d 15197->15200 15406 6cbf1c11 15197->15406 15198 6cbecdbd 15198->15112 15198->15114 15199 6cbf1c11 70 API calls 15199->15200 15200->15198 15200->15199 15202 6cbf0cc1 __calloc_impl 15201->15202 15203 6cbec386 __getptd 60 API calls 15202->15203 15204 6cbf0cca 15203->15204 15205 6cbf09d9 __setmbcp 62 API calls 15204->15205 15206 6cbf0cd4 15205->15206 15232 6cbf0a82 15206->15232 15209 6cbeb8aa __getstream 60 API calls 15210 6cbf0cf5 15209->15210 15211 6cbf0e14 __calloc_impl 15210->15211 15239 6cbf0b03 15210->15239 15211->15192 15214 6cbf0d25 InterlockedDecrement 15216 6cbf0d46 InterlockedIncrement 15214->15216 15217 6cbf0d35 15214->15217 15215 6cbf0e21 15215->15211 15219 6cbf0e34 15215->15219 15220 6cbeb293 __fclose_nolock 60 API calls 15215->15220 15216->15211 15218 6cbf0d5c 15216->15218 15217->15216 15222 6cbeb293 __fclose_nolock 60 API calls 15217->15222 15218->15211 15223 6cbef9d0 __calloc_impl 60 API calls 15218->15223 15221 6cbee2c9 _write_string 60 API calls 15219->15221 15220->15219 15221->15211 15224 6cbf0d45 15222->15224 15224->15216 15233 6cbeb670 x_ismbbtype_l 70 API calls 15232->15233 15234 6cbf0a96 15233->15234 15235 6cbf0abf 15234->15235 15236 6cbf0aa1 GetOEMCP 15234->15236 15237 6cbf0ac4 GetACP 15235->15237 15238 6cbf0ab1 15235->15238 15236->15238 15237->15238 15238->15209 15238->15211 15240 6cbf0a82 __setmbcp 72 API calls 15239->15240 15241 6cbf0b23 15240->15241 15242 6cbf0b2e __setmbcp 15241->15242 15243 6cbf0b56 GetCPInfo 15241->15243 15246 6cbf0b69 _memset __setmbcp 15241->15246 15244 6cbeae6a ___ansicp 4 API calls 15242->15244 15243->15242 15243->15246 15245 6cbf0cae 15244->15245 15245->15214 15245->15215 15251 6cbf0841 GetCPInfo 15246->15251 15252 6cbf0927 15251->15252 15256 6cbf0875 _memset 15251->15256 15255 6cbeae6a ___ansicp 4 API calls 15252->15255 15258 6cbf09d2 15255->15258 15261 6cbf49ca 15256->15261 15258->15246 15262 6cbeb670 x_ismbbtype_l 70 API calls 15261->15262 15263 6cbf49dd 15262->15263 15271 6cbf480b 15263->15271 15409 6cbf1bb9 15406->15409 15410 6cbeb670 x_ismbbtype_l 70 API calls 15409->15410 15411 6cbf1bcc 15410->15411 15411->15197 15413 6cbf163e 15412->15413 15414 6cbec0e9 ___crtInitCritSecAndSpinCount 4 API calls 15413->15414 15415 6cbf1656 15413->15415 15414->15413 15415->15131 15417 6cbebfac __calloc_impl 15416->15417 15418 6cbef9d0 __calloc_impl 60 API calls 15417->15418 15419 6cbebfb3 15418->15419 15420 6cbebfef _doexit 15419->15420 15422 6cbec162 __amsg_exit 4 API calls 15419->15422 15430 6cbec059 15420->15430 15424 6cbebfe2 15422->15424 15426 6cbec162 __amsg_exit 4 API calls 15424->15426 15426->15420 15427 6cbec04d 15428 6cbebe5c __mtinitlocknum 3 API calls 15427->15428 15429 6cbec056 __calloc_impl 15428->15429 15429->15134 15431 6cbec05f 15430->15431 15432 6cbec03a 15430->15432 15435 6cbef8ec LeaveCriticalSection 15431->15435 15432->15429 15434 6cbef8ec LeaveCriticalSection 15432->15434 15434->15427 15435->15432 15438 6cbec3b1 __calloc_impl 15436->15438 15437 6cbec3c9 15441 6cbec3d7 15437->15441 15442 6cbeb293 __fclose_nolock 60 API calls 15437->15442 15438->15437 15439 6cbeb293 __fclose_nolock 60 API calls 15438->15439 15440 6cbec4cf __calloc_impl 15438->15440 15439->15437 15440->15136 15443 6cbec3e5 15441->15443 15444 6cbeb293 __fclose_nolock 60 API calls 15441->15444 15442->15441 15445 6cbec3f3 15443->15445 15447 6cbeb293 __fclose_nolock 60 API calls 15443->15447 15444->15443 15446 6cbec401 15445->15446 15448 6cbeb293 __fclose_nolock 60 API calls 15445->15448 15449 6cbeb293 __fclose_nolock 60 API calls 15446->15449 15451 6cbec40f 15446->15451 15447->15445 15448->15446 15449->15451 15450 6cbec41d 15453 6cbec42b 15450->15453 15455 6cbeb293 __fclose_nolock 60 API calls 15450->15455 15451->15450 15452 6cbeb293 __fclose_nolock 60 API calls 15451->15452 15452->15450 15454 6cbec439 15453->15454 15456 6cbeb293 __fclose_nolock 60 API calls 15453->15456 15457 6cbec44a 15454->15457 15458 6cbeb293 __fclose_nolock 60 API calls 15454->15458 15455->15453 15456->15454 15459 6cbef9d0 __calloc_impl 60 API calls 15457->15459 15458->15457 15460 6cbec452 15459->15460 15461 6cbec45e InterlockedDecrement 15460->15461 15462 6cbec477 15460->15462 15461->15462 15464 6cbec469 15461->15464 15476 6cbec4db 15462->15476 15464->15462 15467 6cbeb293 __fclose_nolock 60 API calls 15464->15467 15466 6cbef9d0 __calloc_impl 60 API calls 15468 6cbec48b 15466->15468 15467->15462 15469 6cbec4bc 15468->15469 15479 6cbf1059 15468->15479 15523 6cbec4e7 15469->15523 15473 6cbeb293 __fclose_nolock 60 API calls 15473->15440 15526 6cbef8ec LeaveCriticalSection 15476->15526 15478 6cbec484 15478->15466 15480 6cbec4a0 15479->15480 15481 6cbf106a InterlockedDecrement 15479->15481 15480->15469 15493 6cbf0e77 15480->15493 15482 6cbf107f InterlockedDecrement 15481->15482 15483 6cbf1082 15481->15483 15482->15483 15484 6cbf108f 15483->15484 15485 6cbf108c InterlockedDecrement 15483->15485 15486 6cbf109c 15484->15486 15487 6cbf1099 InterlockedDecrement 15484->15487 15485->15484 15488 6cbf10a6 InterlockedDecrement 15486->15488 15489 6cbf10a9 15486->15489 15487->15486 15488->15489 15490 6cbf10c2 InterlockedDecrement 15489->15490 15491 6cbf10d2 InterlockedDecrement 15489->15491 15492 6cbf10dd InterlockedDecrement 15489->15492 15490->15489 15491->15489 15492->15480 15494 6cbf0efb 15493->15494 15498 6cbf0e8e 15493->15498 15496 6cbeb293 __fclose_nolock 60 API calls 15494->15496 15497 6cbf0f48 15494->15497 15495 6cbf0f6f 15503 6cbf0fb4 15495->15503 15518 6cbeb293 60 API calls __fclose_nolock 15495->15518 15499 6cbf0f1c 15496->15499 15497->15495 15551 6cbf4a11 15497->15551 15498->15494 15505 6cbeb293 __fclose_nolock 60 API calls 15498->15505 15507 6cbf0ec2 15498->15507 15501 6cbeb293 __fclose_nolock 60 API calls 15499->15501 15506 6cbf0f2f 15501->15506 15509 6cbeb293 __fclose_nolock 60 API calls 15503->15509 15504 6cbeb293 __fclose_nolock 60 API calls 15504->15495 15510 6cbf0eb7 15505->15510 15511 6cbeb293 __fclose_nolock 60 API calls 15506->15511 15512 6cbeb293 __fclose_nolock 60 API calls 15507->15512 15522 6cbf0ee3 15507->15522 15508 6cbeb293 __fclose_nolock 60 API calls 15513 6cbf0ef0 15508->15513 15514 6cbf0fba 15509->15514 15527 6cbf4bf5 15510->15527 15516 6cbf0f3d 15511->15516 15517 6cbf0ed8 15512->15517 15519 6cbeb293 __fclose_nolock 60 API calls 15513->15519 15514->15469 15520 6cbeb293 __fclose_nolock 60 API calls 15516->15520 15543 6cbf4bab 15517->15543 15518->15495 15519->15494 15520->15497 15522->15508 15639 6cbef8ec LeaveCriticalSection 15523->15639 15525 6cbec4c9 15525->15473 15526->15478 15528 6cbf4c7f 15527->15528 15529 6cbf4c02 15527->15529 15528->15507 15530 6cbf4c13 15529->15530 15531 6cbeb293 __fclose_nolock 60 API calls 15529->15531 15532 6cbf4c25 15530->15532 15533 6cbeb293 __fclose_nolock 60 API calls 15530->15533 15531->15530 15534 6cbf4c37 15532->15534 15536 6cbeb293 __fclose_nolock 60 API calls 15532->15536 15533->15532 15535 6cbf4c49 15534->15535 15537 6cbeb293 __fclose_nolock 60 API calls 15534->15537 15538 6cbf4c5b 15535->15538 15539 6cbeb293 __fclose_nolock 60 API calls 15535->15539 15536->15534 15537->15535 15540 6cbf4c6d 15538->15540 15541 6cbeb293 __fclose_nolock 60 API calls 15538->15541 15539->15538 15540->15528 15542 6cbeb293 __fclose_nolock 60 API calls 15540->15542 15541->15540 15542->15528 15544 6cbf4bb8 15543->15544 15550 6cbf4bec 15543->15550 15545 6cbf4bc8 15544->15545 15546 6cbeb293 __fclose_nolock 60 API calls 15544->15546 15547 6cbf4bda 15545->15547 15548 6cbeb293 __fclose_nolock 60 API calls 15545->15548 15546->15545 15549 6cbeb293 __fclose_nolock 60 API calls 15547->15549 15547->15550 15548->15547 15549->15550 15550->15522 15552 6cbf0f68 15551->15552 15553 6cbf4a22 15551->15553 15552->15504 15554 6cbeb293 __fclose_nolock 60 API calls 15553->15554 15555 6cbf4a2a 15554->15555 15556 6cbeb293 __fclose_nolock 60 API calls 15555->15556 15557 6cbf4a32 15556->15557 15558 6cbeb293 __fclose_nolock 60 API calls 15557->15558 15559 6cbf4a3a 15558->15559 15560 6cbeb293 __fclose_nolock 60 API calls 15559->15560 15561 6cbf4a42 15560->15561 15562 6cbeb293 __fclose_nolock 60 API calls 15561->15562 15563 6cbf4a4a 15562->15563 15564 6cbeb293 __fclose_nolock 60 API calls 15563->15564 15565 6cbf4a52 15564->15565 15566 6cbeb293 __fclose_nolock 60 API calls 15565->15566 15567 6cbf4a59 15566->15567 15568 6cbeb293 __fclose_nolock 60 API calls 15567->15568 15639->15525

                                                                                    Executed Functions

                                                                                    Function 6CBE0362 Relevance: 72.2, APIs: 10, Strings: 31, Instructions: 446COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 6cbe0362-6cbe03d3 2 6cbe094e-6cbe0960 GetLastError call 6cbd9a40 0->2 3 6cbe03d9-6cbe040a call 6cbeaef0 0->3 8 6cbe0961 2->8 12 6cbe0932-6cbe0949 GetLastError 3->12 13 6cbe0410-6cbe0417 3->13 9 6cbe0967-6cbe0975 call 6cbeae6a 8->9 14 6cbe0866 12->14 16 6cbe06ed-6cbe0703 13->16 17 6cbe041d-6cbe0435 call 6cbeb7f3 13->17 18 6cbe086b-6cbe0870 call 6cbd9bc1 14->18 16->3 24 6cbe0709 16->24 25 6cbe043b-6cbe0441 17->25 26 6cbe04e8-6cbe050b call 6cbdccf7 17->26 27 6cbe0873-6cbe0876 18->27 24->8 29 6cbe04d8-6cbe04dd call 6cbd9a40 25->29 30 6cbe0447-6cbe0459 25->30 35 6cbe050d-6cbe0514 26->35 36 6cbe0521-6cbe054c call 6cbd9a40 * 2 call 6cbeb0f0 26->36 27->9 34 6cbe04e2-6cbe04e3 29->34 31 6cbe04c3-6cbe04d1 call 6cbeb57d 30->31 43 6cbe045b-6cbe0480 call 6cbe0362 31->43 44 6cbe04d3 31->44 34->16 38 6cbe0519-6cbe051f call 6cbd9a40 35->38 55 6cbe054e-6cbe055d call 6cbeb0f0 36->55 56 6cbe055f-6cbe0566 call 6cbdb92a 36->56 38->34 48 6cbe0485-6cbe0487 43->48 44->16 48->9 50 6cbe048d-6cbe0492 48->50 53 6cbe049a-6cbe049c 50->53 54 6cbe0494 50->54 57 6cbe049e-6cbe04a0 53->57 58 6cbe04a2-6cbe04ae call 6cbeaff1 53->58 54->53 55->56 67 6cbe0570-6cbe057f call 6cbeb0f0 55->67 56->67 68 6cbe0568-6cbe056e 56->68 61 6cbe04af-6cbe04b6 57->61 58->61 61->16 66 6cbe04bc-6cbe04c2 61->66 66->31 71 6cbe0592-6cbe05a1 call 6cbeb0f0 67->71 72 6cbe0581-6cbe0588 call 6cbdb8bd 67->72 68->38 77 6cbe05ba-6cbe05d1 call 6cbeb7f3 71->77 78 6cbe05a3-6cbe05ab 71->78 72->71 79 6cbe058a-6cbe0590 72->79 85 6cbe05fa-6cbe0608 call 6cbda24e 77->85 86 6cbe05d3-6cbe05f8 call 6cbda2e4 77->86 78->77 80 6cbe05ad call 6cbdba0e 78->80 79->38 84 6cbe05b2-6cbe05b4 80->84 84->77 87 6cbe084f-6cbe0861 GetLastError 84->87 91 6cbe060d-6cbe061c call 6cbda3eb 85->91 86->91 87->14 94 6cbe07da-6cbe0800 call 6cbd9a40 * 2 call 6cbdba88 91->94 95 6cbe0622-6cbe0628 91->95 114 6cbe0805-6cbe0807 94->114 97 6cbe062e-6cbe0643 call 6cbda04b 95->97 98 6cbe07b9-6cbe07d8 call 6cbd9a40 * 2 95->98 106 6cbe068f-6cbe06bb call 6cbdc82d 97->106 107 6cbe0645-6cbe065e call 6cbd9a40 97->107 113 6cbe0817-6cbe081d 98->113 121 6cbe070e-6cbe076b call 6cbd9a40 call 6cbdb1b1 106->121 122 6cbe06bd-6cbe06d6 call 6cbd9a40 106->122 107->16 119 6cbe0664-6cbe0671 call 6cbdba4d 107->119 113->16 120 6cbe0823-6cbe0830 call 6cbdba4d 113->120 117 6cbe080d 114->117 118 6cbe08e1-6cbe090a call 6cbd9bc1 114->118 117->113 118->27 133 6cbe0910-6cbe0917 call 6cbdba4d 118->133 119->16 136 6cbe0673-6cbe068a GetLastError 119->136 120->16 137 6cbe0836-6cbe084d GetLastError 120->137 144 6cbe079d-6cbe07b7 call 6cbd9a40 * 2 121->144 145 6cbe076d-6cbe0793 call 6cbd9a40 * 2 call 6cbdba88 121->145 134 6cbe06eb 122->134 135 6cbe06d8-6cbe06e5 call 6cbdba4d 122->135 133->27 147 6cbe091d-6cbe0930 GetLastError 133->147 134->16 135->134 148 6cbe087b-6cbe0893 GetLastError 135->148 136->14 137->14 144->113 159 6cbe0799-6cbe079b 145->159 160 6cbe0895-6cbe08c0 call 6cbd9bc1 145->160 151 6cbe08de-6cbe08df 147->151 148->14 151->18 159->117 160->27 163 6cbe08c2-6cbe08c9 call 6cbdba4d 160->163 163->27 166 6cbe08cb-6cbe08d9 GetLastError 163->166 166->151
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE03E7
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,00000000,?,00000104,?,?,?,?,?,0000003B,?,?,?), ref: 6CBE0674
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,?,00000104,?,?,?,?,?,0000003B,?,?,?), ref: 6CBE0837
                                                                                    • GetLastError.KERNEL32(00000000,?,0000003B,?,?,?), ref: 6CBE0850
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000104,?,?,?,?,?,0000003B,?), ref: 6CBE087D
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBE08CC
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000104,?), ref: 6CBE091E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE0933
                                                                                    • GetLastError.KERNEL32 ref: 6CBE094E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_memset
                                                                                    • String ID: %s%s$, $-----$;$CDownloadManager::SetSection("%s") failed.$CheckDependency(): no dependency.$CheckSectionsForDownloadPlugIn$CheckSectionsForDownloadPlugIn(): %s have been installed.$CheckSectionsForDownloadPlugIn(): %s have not been installed.$CheckSectionsForDownloadPlugIn(): %s is older than update file$CheckSectionsForDownloadPlugIn(): .NET Framework 2.0 is not available, %s is skipped.$CheckSectionsForDownloadPlugIn(): .NET Framework is not available, %s is skipped.$CheckSectionsForDownloadPlugIn(): DXGetFileVersion() failed, file: %s.$CheckSectionsForDownloadPlugIn(): ParseCifLine() failed, line: %s is skipped.$CheckSectionsForDownloadPlugIn(): SetupFindFirstLine() returns 0, reason = %d.$CheckSectionsForDownloadPlugIn(): StringToVersionInfo() failed, version: %s.$CheckSectionsForDownloadPlugIn(): [%s]$CheckSectionsForDownloadPlugIn(): [%s] is being downloaded.$CheckSectionsForDownloadPlugIn(): [%s] is not being downloaded.$Dependencies:$DirectXUpdateDownloadPlugIn$GAC\$SetupGetLineText()$Target file: '%s'Target Version %d.%d.%d.%dUpdate Version %d.%d.%d.%d$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$_MDX1_$_MDX2_$_MDX_$_x64$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 536390146-1979185646
                                                                                    • Opcode ID: 4ad4759fad24b445ab5f26cc7192bc7b6dc5cacba1ec28b7de841eab68659e4e
                                                                                    • Instruction ID: 39ef7a8d903b80f6442fcf4056f89b79dfae646ef35900b5e63d847fd4e5aadc
                                                                                    • Opcode Fuzzy Hash: 4ad4759fad24b445ab5f26cc7192bc7b6dc5cacba1ec28b7de841eab68659e4e
                                                                                    • Instruction Fuzzy Hash: DAE1F6759042E9AADB109BA6EC84FEE737CDF48798F120595F449A2900DF30EE84DF25
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE680F Relevance: 37.1, APIs: 2, Strings: 19, Instructions: 383COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 382 6cbe680f-6cbe685e 383 6cbe6862-6cbe6864 382->383 384 6cbe6860 382->384 385 6cbe6868-6cbe6871 call 6cbda3eb 383->385 386 6cbe6866 383->386 384->383 389 6cbe6877-6cbe6884 call 6cbdc99a 385->389 390 6cbe6c70 385->390 386->385 396 6cbe68ac-6cbe68ae 389->396 397 6cbe6886-6cbe68a7 call 6cbd9bc1 389->397 391 6cbe6c73-6cbe6c81 call 6cbeae6a 390->391 399 6cbe6c3c-6cbe6c49 396->399 400 6cbe68b4-6cbe68dc call 6cbd9a40 396->400 397->391 403 6cbe6c4e-6cbe6c58 call 6cbd9bc1 399->403 406 6cbe6c62-6cbe6c65 400->406 407 6cbe68e2-6cbe68e7 400->407 410 6cbe6c5b 403->410 406->390 411 6cbe6c67-6cbe6c6f call 6cbeb293 406->411 409 6cbe68ec-6cbe690c call 6cbeaff1 call 6cbd9ea5 407->409 418 6cbe6b12-6cbe6b17 409->418 419 6cbe6912-6cbe691f call 6cbd9ea5 409->419 410->406 411->390 420 6cbe6b1d 418->420 421 6cbe68e9 418->421 419->418 424 6cbe6925-6cbe6943 call 6cbdc5e3 call 6cbd9ea5 419->424 420->406 421->409 424->418 429 6cbe6949-6cbe6958 call 6cbeb0f0 424->429 429->418 432 6cbe695e-6cbe696b call 6cbd9ea5 429->432 435 6cbe6a3f-6cbe6a43 432->435 436 6cbe6971-6cbe6976 432->436 435->418 437 6cbe6a49-6cbe6a4c 435->437 438 6cbe6a3c 436->438 439 6cbe697c-6cbe6980 436->439 440 6cbe6a4e-6cbe6a52 437->440 441 6cbe6a54 437->441 438->435 439->406 442 6cbe6986-6cbe6991 call 6cbe1f44 439->442 443 6cbe6a55-6cbe6a69 call 6cbdcb87 440->443 441->443 447 6cbe69b6-6cbe69c4 call 6cbdd792 442->447 448 6cbe6993-6cbe69b1 call 6cbd9bc1 442->448 443->418 452 6cbe6a6f-6cbe6a7d call 6cbdca59 443->452 447->410 456 6cbe69ca-6cbe6a1a call 6cbd9a40 call 6cbdb1b1 447->456 448->418 459 6cbe6bea-6cbe6bfe 452->459 460 6cbe6a83-6cbe6a92 call 6cbdca59 452->460 456->418 468 6cbe6a20-6cbe6a2e call 6cbe5cd5 456->468 459->403 466 6cbe6a98-6cbe6aa7 call 6cbdb1ee 460->466 467 6cbe6c00-6cbe6c12 460->467 472 6cbe6aa9-6cbe6aac 466->472 473 6cbe6b22-6cbe6b25 466->473 467->403 468->418 477 6cbe6a34-6cbe6a37 468->477 472->418 475 6cbe6aae-6cbe6abb call 6cbd9ea5 472->475 473->418 476 6cbe6b27-6cbe6b34 call 6cbd9ea5 473->476 475->418 483 6cbe6abd-6cbe6af7 call 6cbd9a40 475->483 476->418 482 6cbe6b36-6cbe6b43 call 6cbd9ea5 476->482 477->406 482->418 488 6cbe6b45-6cbe6b91 call 6cbd9a40 call 6cbda6ad 482->488 487 6cbe6afc 483->487 489 6cbe6aff-6cbe6b0b call 6cbda24e 487->489 496 6cbe6b9c-6cbe6bad call 6cbe3811 488->496 497 6cbe6b93-6cbe6b9a call 6cbdcf6c 488->497 489->418 496->406 502 6cbe6bb3-6cbe6bcd GetPrivateProfileStringA 496->502 497->496 497->502 503 6cbe6bcf-6cbe6bd4 502->503 504 6cbe6c14-6cbe6c3a call 6cbd9bc1 502->504 503->489 505 6cbe6bda-6cbe6be5 call 6cbd9a40 503->505 504->410 505->418
                                                                                    APIs
                                                                                    • _strnlen.LIBCMT ref: 6CBE68F1
                                                                                      • Part of subcall function 6CBD9EA5: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,6CBE0ED5,000000FF,?,6CBE0ED5,?,Version,?,00000000,?), ref: 6CBD9EBB
                                                                                    • GetPrivateProfileStringA.KERNEL32(DXUpdate.URL,?,6CBD311C,?,00000104,6CBD12F4), ref: 6CBE6BC5
                                                                                      • Part of subcall function 6CBE1F44: _memset.LIBCMT ref: 6CBE1F7A
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: String__wstrtime$ComparePrivateProfile_memset_strnlen_strrchr
                                                                                    • String ID: DXUpdate.URL$DXUpdate_$DirectX$GetMDXVersion() failed, skipping MDX section.$GetPrivateProfileString()$GetSectionFromCif$GetSectionFromCif(): DirectX Version: %d.%02d.%02d.%04d.%d$GetSectionFromCif(): Invalid URL, skipped.$GetSectionFromCif(): MDX: %d.%02d.%02d.%04d, Update:%d.%02d.%02d.%04d$GetSectionFromCif(): Section [%d.%02d.%02d.%04d.%02d-%d.%02d.%02d.%04d.%02d_%s] is downloading.$GetSectionFromCif(): Section [%d.%02d.%02d.%04d.%d-%d.%02d.%02d.%04d.%d_%s_%s] is downloading.$GetSectionNamesFromInf() failed.$MDX$StringToVersionInfo() failed, version = %s.$Strings$Unable to get base URL, Cif: %s, Version: %s.$Unable to load section list, Cif: %s.$Version$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2037971165-2157400507
                                                                                    • Opcode ID: 75de75819a166ce6cd6cd25557e9535c862f56cdb49e320ddbec631831b32c5f
                                                                                    • Instruction ID: bf208c38d3c9c66a587614629013d9cb3e91b57a6a12748ba6700f7ec10cff88
                                                                                    • Opcode Fuzzy Hash: 75de75819a166ce6cd6cd25557e9535c862f56cdb49e320ddbec631831b32c5f
                                                                                    • Instruction Fuzzy Hash: BBC1AC75D0029EBADB049BE5CC80EFEBBBCEF08758B110519FA50F2A41DB31A8559B61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDB4D6 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 279libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 510 6cbdb4d6-6cbdb513 LoadLibraryA 511 6cbdb519-6cbdb530 GetProcAddress 510->511 512 6cbdb853-6cbdb85e GetLastError 510->512 515 6cbdb727-6cbdb736 GetProcAddress 511->515 516 6cbdb536-6cbdb54b 511->516 513 6cbdb897-6cbdb8a1 call 6cbd9a40 512->513 514 6cbdb860-6cbdb863 512->514 528 6cbdb8a2-6cbdb8b5 call 6cbeae6a 513->528 514->513 519 6cbdb865-6cbdb868 514->519 517 6cbdb73c-6cbdb753 515->517 518 6cbdb839 515->518 516->515 529 6cbdb551-6cbdb56c 516->529 531 6cbdb759-6cbdb7b6 call 6cbeb1a2 * 3 517->531 532 6cbdb832-6cbdb837 517->532 521 6cbdb83e-6cbdb843 call 6cbd9a40 518->521 519->513 522 6cbdb86a-6cbdb86f 519->522 537 6cbdb844-6cbdb851 FreeLibrary 521->537 522->513 527 6cbdb871-6cbdb895 GetLastError call 6cbd9bc1 522->527 527->528 540 6cbdb716-6cbdb722 529->540 541 6cbdb572-6cbdb590 529->541 553 6cbdb7b8-6cbdb7be 531->553 554 6cbdb812-6cbdb830 call 6cbd9bc1 531->554 532->521 537->528 540->537 547 6cbdb70a-6cbdb712 541->547 548 6cbdb596 541->548 547->540 550 6cbdb59b-6cbdb5a3 548->550 550->547 552 6cbdb5a9-6cbdb5c9 550->552 562 6cbdb5cf-6cbdb62b call 6cbeb1a2 * 3 552->562 563 6cbdb6da-6cbdb704 552->563 553->554 556 6cbdb7c0-6cbdb7c2 553->556 554->537 556->554 559 6cbdb7c4-6cbdb7ca 556->559 560 6cbdb7cc-6cbdb7cf 559->560 561 6cbdb7d1 559->561 560->561 564 6cbdb7d4-6cbdb810 call 6cbeb17b * 3 call 6cbd9a40 560->564 561->564 562->563 578 6cbdb631-6cbdb637 562->578 563->547 563->550 564->537 578->563 580 6cbdb63d-6cbdb63f 578->580 580->563 582 6cbdb645-6cbdb64b 580->582 584 6cbdb64d-6cbdb650 582->584 585 6cbdb652 582->585 584->585 586 6cbdb655-6cbdb691 call 6cbeb17b * 3 call 6cbd9a40 584->586 585->586 594 6cbdb696-6cbdb6a3 586->594 595 6cbdb6aa-6cbdb6ac 594->595 596 6cbdb6a5-6cbdb6a8 594->596 598 6cbdb6ae-6cbdb6b0 595->598 599 6cbdb6bb-6cbdb6c4 595->599 596->595 597 6cbdb6d8 596->597 597->563 600 6cbdb6b6-6cbdb6b9 598->600 599->600 601 6cbdb6c6-6cbdb6c9 599->601 602 6cbdb6cb 600->602 601->602 603 6cbdb6ce 601->603 602->603 603->597
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNELBASE(mscoree.dll,00000000,00000000), ref: 6CBDB505
                                                                                    • GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6CBDB526
                                                                                    • GetProcAddress.KERNEL32(?,GetCORVersion), ref: 6CBDB732
                                                                                    • FreeLibrary.KERNELBASE(?), ref: 6CBDB84A
                                                                                    • GetLastError.KERNEL32 ref: 6CBDB859
                                                                                    • GetLastError.KERNEL32(Unable to load mscoree.dll.), ref: 6CBDB876
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\inline.h, xrefs: 6CBDB823, 6CBDB888
                                                                                    • CLR version number = %d.%d.%d, xrefs: 6CBDB7F9
                                                                                    • CLR version number = %d.%d.%d, xrefs: 6CBDB68C
                                                                                    • Unable to get CLR build number., xrefs: 6CBDB812
                                                                                    • GetCORVersion not found in mscoree.dll, function deprecated for .NET Framework 4.0., xrefs: 6CBDB839
                                                                                    • GetDotNETFrameworkVersion, xrefs: 6CBDB819, 6CBDB87E
                                                                                    • mscoree.dll is not available., xrefs: 6CBDB897
                                                                                    • mscoree.dll, xrefs: 6CBDB4F2
                                                                                    • GetCORVersion() failed, function deprecated for .NET Framework 4.0., xrefs: 6CBDB832
                                                                                    • Unable to load mscoree.dll., xrefs: 6CBDB871
                                                                                    • LoadLibrary(), xrefs: 6CBDB879
                                                                                    • GetCORVersion, xrefs: 6CBDB727
                                                                                    • CLRCreateInstance, xrefs: 6CBDB520
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressErrorLastLibraryProc$FreeLoad
                                                                                    • String ID: CLR version number = %d.%d.%d$CLR version number = %d.%d.%d$CLRCreateInstance$GetCORVersion$GetCORVersion not found in mscoree.dll, function deprecated for .NET Framework 4.0.$GetCORVersion() failed, function deprecated for .NET Framework 4.0.$GetDotNETFrameworkVersion$LoadLibrary()$Unable to get CLR build number.$Unable to load mscoree.dll.$e:\bt\382730\setup\deliverables\dxupdate\inline.h$mscoree.dll$mscoree.dll is not available.
                                                                                    • API String ID: 1490555712-2310045088
                                                                                    • Opcode ID: ef8103cb99a924a838d25c1c53436a318177165293a957293c37cc2a448c7606
                                                                                    • Instruction ID: e048d1da70b6b6498ad1359d7e8dab2300b83b69cd379b0d97613d4631e766bd
                                                                                    • Opcode Fuzzy Hash: ef8103cb99a924a838d25c1c53436a318177165293a957293c37cc2a448c7606
                                                                                    • Instruction Fuzzy Hash: CEA162B19012959BDB608FA5CCD4E9EB7B8EF44318F1544AEE209E7600D735ED84CF25
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBD98CF Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 114COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000258), ref: 6CBD9905
                                                                                    • OutputDebugStringA.KERNEL32(DXSETUP_DPF(): Unable to open log file.,?,00000258), ref: 6CBD9914
                                                                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 6CBD9954
                                                                                    • GetLastError.KERNEL32 ref: 6CBD995E
                                                                                    • __wstrtime.LIBCMT ref: 6CBD99B7
                                                                                    • __wstrtime.LIBCMT ref: 6CBD99C0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory__wstrtime$CreateDebugErrorLastOutputStringWindows
                                                                                    • String ID: %s %s: %s: %s$%s %s: %s: (null)$%s%s$%s%s%s$C:\Windows\Logs\DirectX.log$DXSETUP_DPF(): GetWindowsDirectory() failed.$DXSETUP_DPF(): Unable to open log file.$DXSETUP_DPF(): failed to create log directory.$DXSETUP_DPF(): path name too long.$Logs\DirectX.log$\Logs$dxupdate
                                                                                    • API String ID: 1979891910-1420145299
                                                                                    • Opcode ID: 17d8991b9a065378be13d64fb0467c308ea471ed16d5777ff0cd50f44e356b63
                                                                                    • Instruction ID: 02b10d6f0b29a70dbd73a39e6832cdcc90bdf5db2080faf06bc7e86ce80589dd
                                                                                    • Opcode Fuzzy Hash: 17d8991b9a065378be13d64fb0467c308ea471ed16d5777ff0cd50f44e356b63
                                                                                    • Instruction Fuzzy Hash: 2F31F4B6D4419876DB00DAA19C54EDF37BCAB09778F0A0566F905F3D00EF35F6088A65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF1DD6 Relevance: 24.5, APIs: 16, Instructions: 497COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 661 6cbf1dd6-6cbf1e06 662 6cbf1e0f-6cbf1e11 661->662 663 6cbf1e08-6cbf1e0a 661->663 665 6cbf1e3a-6cbf1e72 662->665 666 6cbf1e13-6cbf1e35 call 6cbee2e1 call 6cbee2c9 call 6cbee272 662->666 664 6cbf24a5-6cbf24b1 call 6cbeae6a 663->664 667 6cbf1e79-6cbf1e81 665->667 668 6cbf1e74-6cbf1e77 665->668 666->664 671 6cbf1ea9-6cbf1ead 667->671 672 6cbf1e83-6cbf1ea4 call 6cbee2e1 call 6cbee2c9 call 6cbee272 667->672 668->667 668->671 676 6cbf1eaf-6cbf1eb6 call 6cbf1c2e 671->676 677 6cbf1ebe-6cbf1ec7 call 6cbf25ec 671->677 706 6cbf2498-6cbf249b 672->706 685 6cbf1ebb 676->685 688 6cbf1ecd-6cbf1ed4 677->688 689 6cbf212a-6cbf2132 677->689 685->677 688->689 691 6cbf1eda-6cbf1f00 call 6cbec386 GetConsoleMode 688->691 693 6cbf23e8-6cbf2404 WriteFile 689->693 694 6cbf2138-6cbf2146 689->694 691->689 710 6cbf1f06-6cbf1f08 691->710 699 6cbf241b-6cbf2421 GetLastError 693->699 700 6cbf2406-6cbf2419 693->700 695 6cbf214c-6cbf215b 694->695 696 6cbf2207-6cbf220e 694->696 701 6cbf2467-6cbf2474 695->701 702 6cbf2161-6cbf216f 695->702 704 6cbf22dc-6cbf22eb 696->704 705 6cbf2214-6cbf221d 696->705 707 6cbf2427-6cbf242f 699->707 700->707 711 6cbf2476-6cbf247f 701->711 712 6cbf2485-6cbf2495 call 6cbee2c9 call 6cbee2e1 701->712 709 6cbf2175-6cbf2178 702->709 704->701 713 6cbf22f1-6cbf22ff 704->713 705->701 714 6cbf2223-6cbf222d 705->714 708 6cbf24a3-6cbf24a4 706->708 715 6cbf249d 707->715 716 6cbf2431-6cbf2438 707->716 708->664 717 6cbf21ab-6cbf21d3 WriteFile 709->717 718 6cbf217a-6cbf218c 709->718 719 6cbf1f0a-6cbf1f11 710->719 720 6cbf1f17-6cbf1f3a GetConsoleCP 710->720 711->712 721 6cbf2481-6cbf2483 711->721 712->706 722 6cbf2305-6cbf2308 713->722 724 6cbf2233-6cbf2236 714->724 715->708 716->701 725 6cbf243a-6cbf2443 716->725 717->699 730 6cbf21d9-6cbf21e7 717->730 728 6cbf218e-6cbf2198 718->728 729 6cbf2199-6cbf21a9 718->729 719->689 719->720 720->716 731 6cbf1f40-6cbf1f47 720->731 721->708 732 6cbf234d-6cbf237e WideCharToMultiByte 722->732 733 6cbf230a-6cbf2323 722->733 735 6cbf2238-6cbf2243 724->735 736 6cbf2276-6cbf22a4 WriteFile 724->736 726 6cbf2459-6cbf2465 call 6cbee2f9 725->726 727 6cbf2445-6cbf2457 call 6cbee2c9 call 6cbee2e1 725->727 726->706 727->706 728->729 729->709 729->717 730->707 741 6cbf21ed-6cbf21fc 730->741 742 6cbf1f4f-6cbf1f57 731->742 732->699 738 6cbf2384-6cbf23ad WriteFile 732->738 743 6cbf2336-6cbf2343 733->743 744 6cbf2325-6cbf232b 733->744 746 6cbf2245-6cbf224b 735->746 747 6cbf2263-6cbf2270 735->747 736->699 739 6cbf22aa-6cbf22b8 736->739 753 6cbf23af-6cbf23b7 738->753 754 6cbf23bb-6cbf23c1 GetLastError 738->754 739->707 755 6cbf22be-6cbf22c0 739->755 741->702 757 6cbf2202 741->757 758 6cbf1f5d-6cbf1f78 call 6cbf2835 742->758 759 6cbf208a-6cbf208d 742->759 743->722 748 6cbf2345 743->748 760 6cbf232d-6cbf2334 744->760 761 6cbf2347 744->761 749 6cbf224d-6cbf2262 746->749 750 6cbf2274-6cbf2275 746->750 747->724 752 6cbf2272 747->752 748->732 749->747 750->736 752->736 753->738 768 6cbf23b9 753->768 769 6cbf23c7-6cbf23c9 754->769 755->707 766 6cbf22c6-6cbf22d1 755->766 757->707 777 6cbf1f7a-6cbf1f8f call 6cbf59f7 758->777 778 6cbf1f97-6cbf1fa5 758->778 763 6cbf208f-6cbf2092 759->763 764 6cbf2094-6cbf20b5 759->764 760->743 761->732 763->764 770 6cbf20bb-6cbf20be 763->770 764->770 766->714 772 6cbf22d7 766->772 768->769 769->707 773 6cbf23cb-6cbf23e0 769->773 775 6cbf20c5-6cbf20d8 call 6cbf5814 770->775 776 6cbf20c0-6cbf20c3 770->776 772->707 773->713 779 6cbf23e6 773->779 775->699 791 6cbf20de-6cbf20eb 775->791 776->775 781 6cbf2116-6cbf211f 776->781 777->707 789 6cbf1f95 777->789 778->707 782 6cbf1fab-6cbf1fc0 call 6cbf59f7 778->782 779->707 785 6cbf1f49 781->785 786 6cbf2125 781->786 782->707 794 6cbf1fc6-6cbf1fc7 782->794 785->742 786->707 793 6cbf1fcd-6cbf1ffe WideCharToMultiByte 789->793 791->781 792 6cbf20ed-6cbf2104 call 6cbf5814 791->792 792->699 799 6cbf210a-6cbf2110 792->799 793->707 796 6cbf2004-6cbf201f WriteFile 793->796 794->793 796->699 798 6cbf2025-6cbf2033 796->798 798->707 800 6cbf2039-6cbf2040 798->800 799->781 800->781 801 6cbf2046-6cbf2066 WriteFile 800->801 801->699 802 6cbf206c-6cbf2073 801->802 802->707 803 6cbf2079-6cbf2085 802->803 803->781
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 170a3e4aa7af6869826f2449fb2a14d5ec98a893ff8f774f470f2ee654e2db75
                                                                                    • Instruction ID: edf9e998007a88f6667b21b7b4f97e4debca180fa37c423c953d7835051e82e3
                                                                                    • Opcode Fuzzy Hash: 170a3e4aa7af6869826f2449fb2a14d5ec98a893ff8f774f470f2ee654e2db75
                                                                                    • Instruction Fuzzy Hash: 7212AF71D046A88FDB21CF68CC88BAEB7B4EF05316F0405D5D969E7680D7709A8ACF52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEA2F6 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 85comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1093 6cbea2f6-6cbea38a call 6cbd9a40 CreateEventA CoInitialize 1096 6cbea38c-6cbea398 call 6cbd9a40 1093->1096 1097 6cbea399-6cbea3af CoCreateInstance 1093->1097 1096->1097 1098 6cbea3d0-6cbea3db 1097->1098 1099 6cbea3b1-6cbea3ce call 6cbd9bc1 1097->1099 1106 6cbea3dd-6cbea3f3 call 6cbd9bc1 1098->1106 1107 6cbea3fb-6cbea40a 1098->1107 1105 6cbea3f8 1099->1105 1105->1107 1106->1105
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,6CBE7068,?,00000000,?,?,?,?,?), ref: 6CBEA339
                                                                                    • CoInitialize.OLE32(00000000), ref: 6CBEA382
                                                                                    • CoCreateInstance.OLE32(6CBD7E28,00000000,00000005,6CBD7E38,00000018,?,6CBE7068,?,00000000,?,?,?,?,?,?,?), ref: 6CBEA3A7
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • CDownloadManager::CDownloadManager(): CoInitliaze() returns 0x%x., xrefs: 6CBEA38D
                                                                                    • CoCreateInstance(), xrefs: 6CBEA3B3
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp, xrefs: 6CBEA3C2, 6CBEA3EE
                                                                                    • CDownloadManager(), xrefs: 6CBEA300
                                                                                    • CDownloadManager::CDownloadManager, xrefs: 6CBEA3B8, 6CBEA3E4
                                                                                    • RegisterInstallEngineCallback(), xrefs: 6CBEA3DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create__wstrtime$EventInitializeInstance_strrchr
                                                                                    • String ID: CDownloadManager()$CDownloadManager::CDownloadManager$CDownloadManager::CDownloadManager(): CoInitliaze() returns 0x%x.$CoCreateInstance()$RegisterInstallEngineCallback()$e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp
                                                                                    • API String ID: 3266464906-1942859877
                                                                                    • Opcode ID: 0a0ce440ac897ded3630e639ac1e7763cfc6ecc753a6e992993ba7fb547e215a
                                                                                    • Instruction ID: 87009f4363eb80920eb07df034025cc507c94e52f3d7d90ad2cd9bc96ddc6363
                                                                                    • Opcode Fuzzy Hash: 0a0ce440ac897ded3630e639ac1e7763cfc6ecc753a6e992993ba7fb547e215a
                                                                                    • Instruction Fuzzy Hash: B73136B5500B90AFD3208F6A8C88E9BFBFCEB95722F11490EE05A97A10D7B174008F60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEA48C Relevance: 13.6, APIs: 9, Instructions: 127COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1286 6cbea48c-6cbea4a9 1287 6cbea4af-6cbea4c8 GetVersionExA 1286->1287 1288 6cbea58d-6cbea591 1286->1288 1289 6cbea4ca-6cbea4cc 1287->1289 1290 6cbea4d1-6cbea4e5 1287->1290 1291 6cbea5c8-6cbea5cb 1288->1291 1292 6cbea593-6cbea599 1288->1292 1295 6cbea628-6cbea635 call 6cbeae6a 1289->1295 1296 6cbea4ec-6cbea51e call 6cbed037 1290->1296 1297 6cbea4e7 1290->1297 1293 6cbea5cd-6cbea5e4 call 6cbec1db call 6cbec80f 1291->1293 1294 6cbea619-6cbea61c 1291->1294 1292->1289 1298 6cbea59f-6cbea5ab 1292->1298 1293->1289 1321 6cbea5ea-6cbea601 call 6cbec162 1293->1321 1300 6cbea61e-6cbea61f call 6cbec4f5 1294->1300 1301 6cbea625-6cbea627 1294->1301 1308 6cbea523-6cbea526 1296->1308 1297->1296 1303 6cbea5ad call 6cbec08e 1298->1303 1304 6cbea5b2-6cbea5b5 1298->1304 1314 6cbea624 1300->1314 1301->1295 1303->1304 1304->1301 1311 6cbea5b7-6cbea5c1 call 6cbeca94 call 6cbec20a call 6cbed09c 1304->1311 1308->1289 1315 6cbea528-6cbea52f call 6cbec568 1308->1315 1331 6cbea5c6 1311->1331 1314->1301 1322 6cbea538-6cbea554 GetCommandLineA call 6cbece99 call 6cbec855 1315->1322 1323 6cbea531-6cbea536 call 6cbed09c 1315->1323 1335 6cbea60d-6cbea614 call 6cbeb293 1321->1335 1336 6cbea603-6cbea60b call 6cbec24c 1321->1336 1340 6cbea55d-6cbea564 call 6cbecdd9 1322->1340 1341 6cbea556-6cbea55b call 6cbec20a 1322->1341 1323->1289 1331->1301 1335->1289 1336->1314 1348 6cbea586-6cbea58b call 6cbeca94 1340->1348 1349 6cbea566-6cbea56d call 6cbecae7 1340->1349 1341->1323 1348->1341 1349->1348 1354 6cbea56f-6cbea579 call 6cbebf22 1349->1354 1354->1348 1357 6cbea57b-6cbea581 1354->1357 1357->1301
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?), ref: 6CBEA4C0
                                                                                    • __heap_term.LIBCMT ref: 6CBEA531
                                                                                    • GetCommandLineA.KERNEL32 ref: 6CBEA538
                                                                                    • ___crtGetEnvironmentStringsA.LIBCMT ref: 6CBEA543
                                                                                      • Part of subcall function 6CBECE99: GetEnvironmentStringsW.KERNEL32(?,?,?,6CBEA548), ref: 6CBECEB7
                                                                                      • Part of subcall function 6CBECE99: GetEnvironmentStringsW.KERNEL32(?,?,?,6CBEA548), ref: 6CBECEF2
                                                                                      • Part of subcall function 6CBEC855: GetStartupInfoA.KERNEL32(?), ref: 6CBEC86A
                                                                                      • Part of subcall function 6CBEC855: GetFileType.KERNEL32(00000024), ref: 6CBEC978
                                                                                      • Part of subcall function 6CBEC855: ___crtInitCritSecAndSpinCount.LIBCMT ref: 6CBEC9AC
                                                                                    • __mtterm.LIBCMT ref: 6CBEA556
                                                                                      • Part of subcall function 6CBEC20A: TlsFree.KERNELBASE(00000038,6CBEA5C1), ref: 6CBEC235
                                                                                      • Part of subcall function 6CBEC20A: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CBEA5C1), ref: 6CBEF8AD
                                                                                      • Part of subcall function 6CBEC20A: DeleteCriticalSection.KERNEL32(00000038,?,?,6CBEA5C1), ref: 6CBEF8D7
                                                                                    • __mtterm.LIBCMT ref: 6CBEA5BC
                                                                                    • __heap_term.LIBCMT ref: 6CBEA5C1
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 6CBEA5CD
                                                                                      • Part of subcall function 6CBEC1DB: TlsGetValue.KERNEL32(6CBEC316), ref: 6CBEC1E1
                                                                                      • Part of subcall function 6CBEC1DB: TlsSetValue.KERNEL32(00000000), ref: 6CBEC1FE
                                                                                      • Part of subcall function 6CBEC80F: __calloc_impl.LIBCMT ref: 6CBEC824
                                                                                      • Part of subcall function 6CBEB293: ___sbh_find_block.LIBCMT ref: 6CBEB2BC
                                                                                      • Part of subcall function 6CBEB293: HeapFree.KERNEL32(00000000,00000000,6CBF66B0,0000000C,6CBEF9AC,00000000,6CBF6880,0000000C,6CBEF9EB,00000000,-0000000F,?,6CBEC76D,00000004,6CBF67B8,0000000C), ref: 6CBEB2FB
                                                                                      • Part of subcall function 6CBEB293: GetLastError.KERNEL32(?,6CBEC76D,00000004,6CBF67B8,0000000C,6CBF1B11,00000000,00000000,00000000,00000000,00000000,?,6CBEC33C,00000001,00000214), ref: 6CBEB30C
                                                                                    • __freeptd.LIBCMT ref: 6CBEA61F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentStrings$CriticalDeleteFreeSectionValue___crt__heap_term__mtterm$CommandCountCritErrorFileHeapInfoInitLastLineSpinStartupTypeVersion___sbh_find_block___set_flsgetvalue__calloc_impl__freeptd
                                                                                    • String ID:
                                                                                    • API String ID: 4055056290-0
                                                                                    • Opcode ID: 378bdcea9e137512476c01d301cfb9fea0cb145f126497510c5d13cf6acd5214
                                                                                    • Instruction ID: da82698d7ea1c79d97b8aae2fe10fdd464e156b93bc71ce83561bb618c8c8ee6
                                                                                    • Opcode Fuzzy Hash: 378bdcea9e137512476c01d301cfb9fea0cb145f126497510c5d13cf6acd5214
                                                                                    • Instruction Fuzzy Hash: 52418431A441D18ADB14AB75A80469D3FB9EF8EFDDF14416AD829D3F40EB748848CE52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC99A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 75COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1471 6cbdc99a-6cbdc9b0 call 6cbda3eb 1474 6cbdc9d5-6cbdc9d9 1471->1474 1475 6cbdc9b2-6cbdc9d3 call 6cbd9bc1 1471->1475 1477 6cbdc9db-6cbdc9ed call 6cbeb326 1474->1477 1480 6cbdca4e-6cbdca51 1475->1480 1482 6cbdc9ef-6cbdca03 GetPrivateProfileSectionNamesA 1477->1482 1483 6cbdca09-6cbdca28 call 6cbd9bc1 1477->1483 1484 6cbdca38-6cbdca3a 1482->1484 1485 6cbdca05-6cbdca07 1482->1485 1492 6cbdca2a-6cbdca31 call 6cbeb293 1483->1492 1493 6cbdca33-6cbdca36 1483->1493 1487 6cbdca3c-6cbdca4a call 6cbd9a40 1484->1487 1488 6cbdca4b 1484->1488 1485->1477 1487->1488 1491 6cbdca4d 1488->1491 1491->1480 1492->1493 1493->1491
                                                                                    APIs
                                                                                    • _realloc.LIBCMT ref: 6CBDC9E4
                                                                                    • GetPrivateProfileSectionNamesA.KERNEL32(00000000,-00000258,?), ref: 6CBDC9F6
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$NamesPrivateProfileSection_realloc_strrchr
                                                                                    • String ID: GetSectionNamesFromInf$GetSectionNamesFromInf(): Unable to get section names from %s.$Unable to find %s.$e:\bt\382730\setup\deliverables\dxupdate\inline.h$realloc()
                                                                                    • API String ID: 14898424-2734547356
                                                                                    • Opcode ID: 5e5b8c0a365518af67f5d3c1789c339c0df090ddbd0ac0f12977df9a415fc84a
                                                                                    • Instruction ID: 4805fa5259e845b87de976f6554eec660cdeca39f6ec828dcd06cedd625c8360
                                                                                    • Opcode Fuzzy Hash: 5e5b8c0a365518af67f5d3c1789c339c0df090ddbd0ac0f12977df9a415fc84a
                                                                                    • Instruction Fuzzy Hash: 02113A7A5042C57EE7106EE59CC0C9B7BACDF443FC7230A3AF954A3A40EB71B9444661
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA3EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 64fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,00000104,?,?,?), ref: 6CBDA48E
                                                                                    • FindClose.KERNEL32(00000000), ref: 6CBDA49A
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find__wstrtime$CloseFileFirst_strrchr
                                                                                    • String ID: IsFileAvailable$StringCchCopy()$Unable to create path string, %s%s.$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 317478765-495664935
                                                                                    • Opcode ID: c1f7112f1402a53e177a95c380fa5d3001e7c2d3935bc41d6339931464c9cbf0
                                                                                    • Instruction ID: 78c4e5c4c4afc0b04f5416252ee2b51b34ede74c5269fe733dfceef5636fb526
                                                                                    • Opcode Fuzzy Hash: c1f7112f1402a53e177a95c380fa5d3001e7c2d3935bc41d6339931464c9cbf0
                                                                                    • Instruction Fuzzy Hash: 8411257AE501887AD700AAB59C09EEF77BCDB95739F060521B815F3980EB70F9844E60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE715C Relevance: 68.7, APIs: 7, Strings: 32, Instructions: 439COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 167 6cbe715c-6cbe71e6 call 6cbeaef0 170 6cbe71fa-6cbe7219 call 6cbda395 167->170 171 6cbe71e8-6cbe71ea 167->171 178 6cbe721b-6cbe722e 170->178 179 6cbe7274-6cbe7283 call 6cbda3eb 170->179 172 6cbe71ec-6cbe71ef 171->172 173 6cbe7242-6cbe725d call 6cbd9bc1 171->173 172->173 175 6cbe71f1-6cbe71f7 172->175 181 6cbe7260-6cbe7262 173->181 175->170 183 6cbe7233-6cbe7240 call 6cbd9bc1 178->183 188 6cbe72f5-6cbe7343 call 6cbd9a40 call 6cbeaef0 * 2 call 6cbd9ea5 179->188 189 6cbe7285-6cbe729f call 6cbda395 179->189 184 6cbe7263-6cbe7271 call 6cbeae6a 181->184 183->181 209 6cbe7345-6cbe7351 call 6cbdd02d 188->209 210 6cbe7353 188->210 197 6cbe72be-6cbe72cd call 6cbda3eb 189->197 198 6cbe72a1-6cbe72b9 189->198 197->188 204 6cbe72cf-6cbe72f0 call 6cbd9bc1 197->204 198->183 204->184 209->210 212 6cbe7359-6cbe738c call 6cbe680f 209->212 210->212 216 6cbe738e-6cbe7390 212->216 217 6cbe73cc-6cbe73f1 call 6cbeaef0 call 6cbe0243 212->217 218 6cbe73b2-6cbe73c4 call 6cbd9a40 216->218 219 6cbe7392-6cbe73b0 call 6cbd9bc1 216->219 229 6cbe7409-6cbe743d call 6cbe129b call 6cbea2f6 217->229 230 6cbe73f3-6cbe73ff 217->230 227 6cbe73c5 218->227 219->227 227->217 235 6cbe743f-6cbe7444 call 6cbd9a40 229->235 236 6cbe746b-6cbe747f call 6cbeb0f0 229->236 230->229 240 6cbe7449 235->240 241 6cbe74f8-6cbe7522 call 6cbe991a 236->241 242 6cbe7481-6cbe748e call 6cbeaec2 236->242 243 6cbe744a-6cbe7466 call 6cbe9870 call 6cbdb0a6 240->243 252 6cbe753e-6cbe7544 241->252 253 6cbe7524-6cbe752e call 6cbd9a40 241->253 250 6cbe749f 242->250 251 6cbe7490-6cbe749d call 6cbdd53c 242->251 243->236 257 6cbe74a5-6cbe74ad 250->257 251->257 258 6cbe755e-6cbe7578 SetupOpenInfFileA 252->258 259 6cbe7546-6cbe755c call 6cbd9bc1 252->259 270 6cbe752f-6cbe7539 253->270 263 6cbe74af-6cbe74b1 257->263 264 6cbe74b3-6cbe74d7 call 6cbd9bc1 257->264 266 6cbe757a-6cbe75a1 GetLastError call 6cbd9bc1 258->266 267 6cbe75a3-6cbe75da call 6cbe0362 258->267 259->270 263->241 263->264 264->243 281 6cbe74dd-6cbe74f3 call 6cbdb0a6 call 6cbeaeb2 264->281 266->270 277 6cbe76c0-6cbe76c6 SetupCloseInfFile 267->277 278 6cbe75e0-6cbe75f2 call 6cbd9ea5 267->278 275 6cbe76cc-6cbe76d4 270->275 279 6cbe76d6-6cbe76e6 call 6cbdb0a6 call 6cbeaeb2 275->279 280 6cbe76e7-6cbe76ee 275->280 277->275 295 6cbe75f4-6cbe7606 call 6cbd9ea5 278->295 296 6cbe7620-6cbe762e call 6cbdd5c5 278->296 279->280 284 6cbe76f4-6cbe76fa 280->284 285 6cbe7792-6cbe7798 280->285 281->240 291 6cbe76fc-6cbe770c call 6cbe9b9b 284->291 292 6cbe7730-6cbe7744 call 6cbd9a40 call 6cbea193 284->292 288 6cbe7766-6cbe7782 call 6cbe9870 call 6cbdb0a6 285->288 322 6cbe7787-6cbe7791 call 6cbd9a40 288->322 305 6cbe7711-6cbe7713 291->305 315 6cbe7749-6cbe774b 292->315 295->296 316 6cbe7608-6cbe761a call 6cbd9ea5 295->316 313 6cbe7652-6cbe7666 call 6cbdb1ee 296->313 314 6cbe7630-6cbe7643 call 6cbd9bc1 296->314 305->285 311 6cbe7715-6cbe7728 call 6cbd9bc1 305->311 311->292 313->277 331 6cbe7668-6cbe767a call 6cbdba88 313->331 330 6cbe7646-6cbe7650 314->330 321 6cbe774d-6cbe7765 call 6cbd9bc1 315->321 315->322 316->277 316->296 321->288 322->285 330->277 335 6cbe767c-6cbe7697 call 6cbd9bc1 331->335 336 6cbe7699-6cbe76b6 call 6cbd9a40 * 2 331->336 335->330 336->277
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: -----$@64$CDownloadManager::Download() failed.$CDownloadManager::GetDownloadSize() failed.$CDownloadManager::SetSection("%s") failed.$DXUpdate_DXDllReg_x86$DirectXUpdateDownloadPlugIn$DirectXUpdateDownloadPlugIn(): CDownloadManager::InitInstallEngine() failed.$DirectXUpdateDownloadPlugIn(): Cif %s$DirectXUpdateDownloadPlugIn(): [%s] is being downloaded.$DirectXUpdateDownloadPlugIn(): end download$DirectXUpdateDownloadPlugIn(): no download section in %s.$DirectXUpdateDownloadPlugIn(): start download$DirectXUpdateDownloadPlugIn(): unable to initialize CDownloadManager.$GetCachePath() failed.$GetDXVersion() failed.$GetSectionFromCif() failed.$Invalid parameter.$SetupOpenInfFile()$Srv2K3$Srv2K3@64$Unable to create path string, %s\%s.$Unable to find %s.$Unable to initialize CKernel32.$Unable to initialize CSetupAPI.$Unable to open %s.$Win2K$WinXP$WinXP@64$dxupdate.cif$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C
                                                                                    • API String ID: 2102423945-1754519923
                                                                                    • Opcode ID: 60542482d8bd49cb643efb9eb94f3b337f97c8a1d97486b0ad850731a7b12b49
                                                                                    • Instruction ID: 1acd9566278d759f8b533f636b431c78658c3d006d54064034dbdbbb7da9fe17
                                                                                    • Opcode Fuzzy Hash: 60542482d8bd49cb643efb9eb94f3b337f97c8a1d97486b0ad850731a7b12b49
                                                                                    • Instruction Fuzzy Hash: D0E1C8B5C412E9AAEB209F65CC40EDE777CEB09758F1105D6F418B2A42EB706E848F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC2B0 Relevance: 61.4, APIs: 16, Strings: 19, Instructions: 168libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNELBASE(mscoree.dll,?,00000000,00000000,?,6CBDD408,?,00000104,00000000,?,6CBE5CF7,?,00000104,00000000,?,6CBE6A2C), ref: 6CBDC2CF
                                                                                    • GetLastError.KERNEL32(Unable to load mscoree.dll.,?,6CBDD408,?,00000104,00000000,?,6CBE5CF7,?,00000104,00000000,?,6CBE6A2C,?,?,?), ref: 6CBDC2E1
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • GetProcAddress.KERNEL32(00000000,LoadLibraryShim), ref: 6CBDC316
                                                                                    • GetLastError.KERNEL32(Module: mscoree.dll, Function: LoadLibraryShim,?,6CBDD408,?,00000104,00000000,?,6CBE5CF7,?,00000104,00000000,?,6CBE6A2C,?,?,?), ref: 6CBDC326
                                                                                    • FreeLibrary.KERNEL32(?,?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?,Version), ref: 6CBDC433
                                                                                    • GetLastError.KERNEL32(?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?,Version,?), ref: 6CBDC442
                                                                                    • FreeLibrary.KERNEL32(00000000,?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?,Version), ref: 6CBDC480
                                                                                    • GetLastError.KERNEL32(?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?,Version,?), ref: 6CBDC48A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Library$Free__wstrtime$AddressLoadProc_strrchr
                                                                                    • String ID: CFusion::CFusion$CreateAssemblyCache$CreateAssemblyEnum$CreateAssemblyNameObject$FreeLibrary()$GetCachePath$GetProcAddress()$LoadLibrary()$LoadLibraryShim$LoadLibraryShim()$Module: fusion.dll, Function: CreateAssemblyCache$Module: fusion.dll, Function: CreateAssemblyEnum$Module: fusion.dll, Function: CreateAssemblyNameObject$Module: fusion.dll, Function: GetCachePath$Module: mscoree.dll, Function: LoadLibraryShim$Unable to load mscoree.dll.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$fusion.dll$mscoree.dll
                                                                                    • API String ID: 919326679-2703188920
                                                                                    • Opcode ID: bad99f282038d9218414a6ebccda31a23e07870ce7e03fca0c2a282daa54b812
                                                                                    • Instruction ID: 75593e99eb97f88a0349b85690ab028e96d75682a4adfa9446239e217313f3af
                                                                                    • Opcode Fuzzy Hash: bad99f282038d9218414a6ebccda31a23e07870ce7e03fca0c2a282daa54b812
                                                                                    • Instruction Fuzzy Hash: A651D5B8A80382BBE7106FA68C05E27B6F8EF15376B178D2DF455E3D41EA60F5004A11
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDBAF8 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 74synchronizationthreadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • DisableThreadLibraryCalls.KERNEL32(?), ref: 6CBDBB17
                                                                                    • CreateMutexA.KERNELBASE(00000000,00000000,DXUPDATE DLL Mutex), ref: 6CBDBB24
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDBB31
                                                                                    • GetLastError.KERNEL32 ref: 6CBDBB5B
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6CBDBB70
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDBB7B
                                                                                    • CloseHandle.KERNEL32 ref: 6CBDBBA2
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDBBAD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CloseHandle$CallsCreateDisableLibraryMutexThread
                                                                                    • String ID: CloseHandle()$CreateMutex()$DXUPDATE DLL Mutex$DXUpdate is running already.$DllMain$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 137530272-569196964
                                                                                    • Opcode ID: 766de4ec5f2d4471e64d805de5bbac045a9f0dca711f603fc6bc970c2b6ed91b
                                                                                    • Instruction ID: b25a4b512ab49823859e2f3f4d1d4127fea63be91f7a7a39b937447e29890fff
                                                                                    • Opcode Fuzzy Hash: 766de4ec5f2d4471e64d805de5bbac045a9f0dca711f603fc6bc970c2b6ed91b
                                                                                    • Instruction Fuzzy Hash: 4511C87A7542D9BBDB00AEF6CC5CE5A3B7CEB493B6B0B0921F505E7900E620FC005662
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE9C99 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 133synchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 804 6cbe9c99-6cbe9cc2 call 6cbd9a40 807 6cbe9cc4-6cbe9ccc 804->807 808 6cbe9d12-6cbe9d23 804->808 809 6cbe9cce-6cbe9cdb 807->809 810 6cbe9ceb-6cbe9cf4 ResetEvent 807->810 815 6cbe9dd8-6cbe9de9 808->815 816 6cbe9d29-6cbe9d3f 808->816 813 6cbe9cdc-6cbe9ce1 call 6cbd9bc1 809->813 810->808 811 6cbe9cf6-6cbe9d0f GetLastError call 6cbd9bc1 810->811 811->808 820 6cbe9ce4-6cbe9ce6 813->820 826 6cbe9deb-6cbe9df0 815->826 827 6cbe9df4-6cbe9df6 815->827 824 6cbe9d6f-6cbe9d77 816->824 825 6cbe9d41-6cbe9d6a call 6cbd9bc1 816->825 823 6cbe9df7-6cbe9dfb 820->823 828 6cbe9d79-6cbe9d7f 824->828 829 6cbe9d83-6cbe9d8a 824->829 825->820 826->827 827->823 828->829 832 6cbe9d8e-6cbe9d90 829->832 834 6cbe9da6-6cbe9dad 832->834 835 6cbe9d92-6cbe9d9b 832->835 834->827 837 6cbe9daf-6cbe9dc0 WaitForSingleObject 834->837 836 6cbe9da0-6cbe9da1 835->836 836->813 837->827 838 6cbe9dc2-6cbe9dd6 GetLastError 837->838 838->836
                                                                                    APIs
                                                                                    • ResetEvent.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,6CBEA1B0,00000000,00000000,?,6CBEA439,?,?,?,?), ref: 6CBE9CEC
                                                                                    • GetLastError.KERNEL32(00000000,?,6CBEA1B0,00000000,00000000,?,6CBEA439,?,?,?,?,6CBD12F4,00000000,?,6CBE70A6,?), ref: 6CBE9CF7
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,6CBEA1B0,00000000,00000000,?,6CBEA439,?,?,?,?,6CBD12F4,00000000,?,6CBE70A6), ref: 6CBE9DB7
                                                                                    • GetLastError.KERNEL32(00000000,?,6CBEA1B0,00000000,00000000,?,6CBEA439,?,?,?,?,6CBD12F4,00000000,?,6CBE70A6,?), ref: 6CBE9DC4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EventObjectResetSingleWait
                                                                                    • String ID: CDownloadManager::Download$CDownloadManager::Download()$DownloadComponents()$Event handle handle is not initialized.$QueryInterface()$ResetEvent()$Unable to query timing function.$WaitForsingleObject()$e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp
                                                                                    • API String ID: 2267819996-2907961203
                                                                                    • Opcode ID: 591178cc678fc6e0790ba3649db09ec24f70f480034f529f5a95b6a21aab1380
                                                                                    • Instruction ID: 8ea39a071a652f20846a55f02aa5876769f3e04f606fdc0b8b9120b607bce6d3
                                                                                    • Opcode Fuzzy Hash: 591178cc678fc6e0790ba3649db09ec24f70f480034f529f5a95b6a21aab1380
                                                                                    • Instruction Fuzzy Hash: E5419E70A00650BFE7249B65CC49EAB72BCEF4976AF154A18F946E7681D770FC048BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF2E97 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 520fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __get_daylight.LIBCMT ref: 6CBF2ED9
                                                                                    • __get_wpgmptr.LIBCMT ref: 6CBF2EF4
                                                                                    • CreateFileA.KERNEL32(00000000,00000080,00000000,0000000C,00000001,00000080,00000000,00000109,00000000,00000000), ref: 6CBF30CB
                                                                                    • GetLastError.KERNEL32 ref: 6CBF30F3
                                                                                    • __dosmaperr.LIBCMT ref: 6CBF30FA
                                                                                    • GetFileType.KERNELBASE(00000000), ref: 6CBF310D
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6CBF3133
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6CBF315F
                                                                                    • __locking.LIBCMT ref: 6CBF3453
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFileHandle$CreateErrorLastType__dosmaperr__get_daylight__get_wpgmptr__locking
                                                                                    • String ID: @
                                                                                    • API String ID: 690964824-2766056989
                                                                                    • Opcode ID: beff378b1f71480856fde825035d297e510f83ada20eb9725db9e20a1dc7b84a
                                                                                    • Instruction ID: 27cb270325b93e6a480b29a4932798b1512c09a94cc73032db007a935a3734c2
                                                                                    • Opcode Fuzzy Hash: beff378b1f71480856fde825035d297e510f83ada20eb9725db9e20a1dc7b84a
                                                                                    • Instruction Fuzzy Hash: B90213719046C99BEB118F68CC857AEBBB4EB0131CF244669E47097B90D7358A8ECB53
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF505A Relevance: 14.0, APIs: 9, Instructions: 502COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b540dbc4c8cf3095e7abd332f5ed2492efd2a87de175ce2a06f53d117987c286
                                                                                    • Instruction ID: 9b64642c7d9b0890bc82639fc8556eb7e0d27773fd5a621088be87723ccc7fa1
                                                                                    • Opcode Fuzzy Hash: b540dbc4c8cf3095e7abd332f5ed2492efd2a87de175ce2a06f53d117987c286
                                                                                    • Instruction Fuzzy Hash: C112D6709042CA9FDB128FA8C8447AEBBF1EF02318F188659D4B19BB95D370954ECB56
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEEA7C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 221COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1358 6cbeea7c-6cbeea9c 1359 6cbeea9f-6cbeeaa2 1358->1359 1360 6cbeea9e 1359->1360 1361 6cbeeaa4-6cbeeaa8 1359->1361 1360->1359 1362 6cbeeaaa-6cbeeaac 1361->1362 1363 6cbeeae3 1361->1363 1364 6cbeeaae-6cbeeab0 1362->1364 1365 6cbeeada-6cbeeae1 1362->1365 1366 6cbeeaea 1363->1366 1367 6cbeeab2-6cbeeacc call 6cbee2c9 call 6cbee272 1364->1367 1368 6cbeead1-6cbeead8 1364->1368 1369 6cbeeaee-6cbeeaf7 1365->1369 1366->1369 1391 6cbeed1a-6cbeed1d 1367->1391 1368->1366 1371 6cbeeafd-6cbeeb00 1369->1371 1372 6cbeecb4-6cbeecb7 1369->1372 1376 6cbeeb05-6cbeeb07 1371->1376 1374 6cbeecb9-6cbeecbb 1372->1374 1375 6cbeecb3 1372->1375 1378 6cbeecbd-6cbeecd5 call 6cbee2c9 call 6cbee272 1374->1378 1379 6cbeecd7-6cbeece9 call 6cbf35a2 1374->1379 1375->1372 1380 6cbeeb0d-6cbeeb13 1376->1380 1381 6cbeec38-6cbeec3b 1376->1381 1406 6cbeecf5-6cbeecf7 1378->1406 1393 6cbeecee-6cbeecf3 1379->1393 1386 6cbeebbb-6cbeebbe 1380->1386 1387 6cbeeb19 1380->1387 1381->1372 1382 6cbeec3d 1381->1382 1390 6cbeec40-6cbeec43 1382->1390 1388 6cbeec1a-6cbeec20 1386->1388 1389 6cbeebc0-6cbeebc3 1386->1389 1394 6cbeeb1f-6cbeeb22 1387->1394 1395 6cbeeba9-6cbeebac 1387->1395 1403 6cbeec26 1388->1403 1404 6cbeec22-6cbeec24 1388->1404 1398 6cbeec09-6cbeec0f 1389->1398 1399 6cbeebc5-6cbeebc6 1389->1399 1400 6cbeec3f 1390->1400 1401 6cbeec45-6cbeec57 call 6cbf3974 1390->1401 1405 6cbeecf9-6cbeed16 1393->1405 1393->1406 1396 6cbeec2d-6cbeec32 1394->1396 1397 6cbeeb28-6cbeeb2b 1394->1397 1395->1404 1407 6cbeebae-6cbeebb9 1395->1407 1396->1376 1396->1381 1409 6cbeeb2d-6cbeeb2e 1397->1409 1410 6cbeeb83-6cbeeb87 1397->1410 1398->1404 1415 6cbeec11-6cbeec18 1398->1415 1411 6cbeebf8-6cbeebfb 1399->1411 1412 6cbeebc8-6cbeebcb 1399->1412 1400->1390 1401->1378 1427 6cbeec59-6cbeec6b call 6cbf37e8 1401->1427 1403->1396 1404->1396 1408 6cbeed19 1405->1408 1406->1408 1407->1396 1408->1391 1416 6cbeeb77-6cbeeb7e 1409->1416 1417 6cbeeb30-6cbeeb33 1409->1417 1410->1404 1422 6cbeeb8d-6cbeeba4 1410->1422 1411->1404 1421 6cbeebfd-6cbeec07 1411->1421 1418 6cbeebcd-6cbeebd0 1412->1418 1419 6cbeebe3-6cbeebe6 1412->1419 1415->1396 1416->1404 1423 6cbeeb64-6cbeeb68 1417->1423 1424 6cbeeb35-6cbeeb38 1417->1424 1418->1378 1425 6cbeebd6-6cbeebdc 1418->1425 1419->1404 1426 6cbeebe8-6cbeebf6 1419->1426 1421->1396 1422->1396 1423->1404 1432 6cbeeb6e-6cbeeb72 1423->1432 1428 6cbeeb5c-6cbeeb5f 1424->1428 1429 6cbeeb3a-6cbeeb3d 1424->1429 1425->1404 1430 6cbeebde-6cbeebe1 1425->1430 1426->1396 1436 6cbeec6d-6cbeec77 1427->1436 1437 6cbeec79-6cbeec88 call 6cbf37e8 1427->1437 1428->1396 1429->1378 1433 6cbeeb43-6cbeeb46 1429->1433 1430->1396 1432->1396 1433->1404 1435 6cbeeb4c-6cbeeb57 1433->1435 1435->1396 1436->1372 1440 6cbeec8a-6cbeec94 1437->1440 1441 6cbeec96-6cbeeca5 call 6cbf37e8 1437->1441 1440->1372 1441->1378 1444 6cbeeca7-6cbeecb1 1441->1444 1444->1372
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fassign__wsopen_s
                                                                                    • String ID: $UNICODE$UTF-16LE$UTF-8$ccs=
                                                                                    • API String ID: 2488987356-1656882147
                                                                                    • Opcode ID: 20f693161de3ef8b9e62ce5a6580e17dcb10b7c8a5a251a759d2063699b16929
                                                                                    • Instruction ID: 205ce2fa04d78cb06b051c0e243963ffd504c43a9dc99cb8b89574753dbd0fbf
                                                                                    • Opcode Fuzzy Hash: 20f693161de3ef8b9e62ce5a6580e17dcb10b7c8a5a251a759d2063699b16929
                                                                                    • Instruction Fuzzy Hash: F771C3B18096C9AADB048F69844039D7FF0FB0EBACF14C56DE86596B90E37592458FC2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE0243 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1445 6cbe0243-6cbe0272 call 6cbdb92a 1448 6cbe034b 1445->1448 1449 6cbe0278-6cbe0289 call 6cbdc2b0 1445->1449 1451 6cbe034d-6cbe035a call 6cbeae6a 1448->1451 1454 6cbe02be-6cbe02cc 1449->1454 1455 6cbe028b-6cbe0297 1449->1455 1459 6cbe02d4-6cbe02dd 1454->1459 1457 6cbe029c-6cbe02ab call 6cbd9bc1 1455->1457 1465 6cbe02ac-6cbe02b9 call 6cbdc4c7 1457->1465 1461 6cbe02df-6cbe0302 call 6cbd9bc1 1459->1461 1462 6cbe0304-6cbe0322 WideCharToMultiByte 1459->1462 1461->1465 1463 6cbe0324-6cbe033b GetLastError 1462->1463 1464 6cbe0340-6cbe0346 call 6cbdc4c7 1462->1464 1463->1457 1464->1448 1465->1451
                                                                                    APIs
                                                                                      • Part of subcall function 6CBDC2B0: LoadLibraryA.KERNELBASE(mscoree.dll,?,00000000,00000000,?,6CBDD408,?,00000104,00000000,?,6CBE5CF7,?,00000104,00000000,?,6CBE6A2C), ref: 6CBDC2CF
                                                                                      • Part of subcall function 6CBDC2B0: GetLastError.KERNEL32(Unable to load mscoree.dll.,?,6CBDD408,?,00000104,00000000,?,6CBE5CF7,?,00000104,00000000,?,6CBE6A2C,?,?,?), ref: 6CBDC2E1
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000104,6CBE73EF,00000104,00000000,00000000), ref: 6CBE031A
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE0325
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__wstrtime$ByteCharLibraryLoadMultiWide_strrchr
                                                                                    • String ID: GetCachePath$GetCachePath()$Unable to initialize CFusion.$WideCharToMultiByte()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2559884782-2269815630
                                                                                    • Opcode ID: 1eff142fe3d75ca2603837fe1c2bef2ce6a34683bb9e95a40c1d1f8011de0e39
                                                                                    • Instruction ID: 72f7a4c7b664becf0b56faf9b8cd8c2acfb1af020b3f02c719bd058e7fe3e11b
                                                                                    • Opcode Fuzzy Hash: 1eff142fe3d75ca2603837fe1c2bef2ce6a34683bb9e95a40c1d1f8011de0e39
                                                                                    • Instruction Fuzzy Hash: D72106B5A411DCBBDB10ABA09C88EEE777CEB09758F010595E909B3541DB70AE848F60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEAA91 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fileno
                                                                                    • String ID:
                                                                                    • API String ID: 1873356214-0
                                                                                    • Opcode ID: be67d05f731c407d830052b5a927b1bd8c593e5751eb22f5dd72cc9f27988b1d
                                                                                    • Instruction ID: 1549b549f8f625d64c9e54ac1ee1e76f818ec30a85dfbeba26f5ce38e54669ff
                                                                                    • Opcode Fuzzy Hash: be67d05f731c407d830052b5a927b1bd8c593e5751eb22f5dd72cc9f27988b1d
                                                                                    • Instruction Fuzzy Hash: D4316F314015D45AD701AF749C41ACD3BBA9F0EBFCF248B24E420D7AD0DB38C5498AD9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE9870 Relevance: 10.5, APIs: 3, Strings: 4, Instructions: 46sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • CDownloadManager::~CDownloadManager, xrefs: 6CBE98AC
                                                                                    • ~CDownloadManager(), xrefs: 6CBE9875
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp, xrefs: 6CBE98B6
                                                                                    • UnregisterInstallEngineCallback(), xrefs: 6CBE98A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleSleepUninitialize
                                                                                    • String ID: CDownloadManager::~CDownloadManager$UnregisterInstallEngineCallback()$e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp$~CDownloadManager()
                                                                                    • API String ID: 314316678-1669205376
                                                                                    • Opcode ID: 56bf5f51e5fa9128f0bf07d11416a63ff48f24270fa5955966881a5a57847c0c
                                                                                    • Instruction ID: 17121f3b16e11573bc578a5e9a3a497b9a1788ed4cb0cba0421a87a1b4517d42
                                                                                    • Opcode Fuzzy Hash: 56bf5f51e5fa9128f0bf07d11416a63ff48f24270fa5955966881a5a57847c0c
                                                                                    • Instruction Fuzzy Hash: A4019E35A00381AFD7209FA1C859F5677BCEF48766F15085DE44ADBA90CB31F849CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEA20F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 6CBEA253
                                                                                    • SendMessageA.USER32(00000000), ref: 6CBEA25A
                                                                                    • SetDlgItemTextA.USER32(000003EA,000003EA,--:--:--), ref: 6CBEA2DB
                                                                                      • Part of subcall function 6CBDA2E4: _vswprintf_s.LIBCMT ref: 6CBDA317
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Item$MessageSendText_vswprintf_s
                                                                                    • String ID: %02d:%02d:%02d$--:--:--
                                                                                    • API String ID: 4103211107-521328129
                                                                                    • Opcode ID: a3816cd33fa08a362e4cd5ac9f0c2649af63348b83711600718f87e9fd814a31
                                                                                    • Instruction ID: 27be61bec30c67adb2ee6b0e279339124fcf4e8462b90d668e43b5f5149ffc9a
                                                                                    • Opcode Fuzzy Hash: a3816cd33fa08a362e4cd5ac9f0c2649af63348b83711600718f87e9fd814a31
                                                                                    • Instruction Fuzzy Hash: CE214631B00644ABDB11CE25CC04DDB77BDEB89B14F108A2AF156E3180C771E981CF41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEA193 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #17.COMCTL32(00000000,00000000,?,6CBEA439,?,?,?,?,6CBD12F4,00000000,?,6CBE70A6,?,?,?,?), ref: 6CBEA1E1
                                                                                    • DialogBoxParamA.USER32(?,000003E8,?,6CBEA12F,00000000), ref: 6CBEA1FE
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • CDownloadManager::Download, xrefs: 6CBEA1BB
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp, xrefs: 6CBEA1C5
                                                                                    • Download() falied., xrefs: 6CBEA1B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DialogParam_strrchr
                                                                                    • String ID: CDownloadManager::Download$Download() falied.$e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp
                                                                                    • API String ID: 3573595137-1322761809
                                                                                    • Opcode ID: 6ae0c9005c7ebef20c21844a222a33664a39732a23684e04671917409261ba40
                                                                                    • Instruction ID: a3dd61f9529309029e6221929197d63e329ece0b598e85c8079dc8f29fca48a4
                                                                                    • Opcode Fuzzy Hash: 6ae0c9005c7ebef20c21844a222a33664a39732a23684e04671917409261ba40
                                                                                    • Instruction Fuzzy Hash: D3F0BB369842C0BBC7211A629C04D877EBCE7CBBF7B054426F569A1900E731A410DAA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC4C7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNELBASE(00000000,6CBE5D4A,?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?), ref: 6CBDC4CE
                                                                                    • GetLastError.KERNEL32(?,6CBE6A2C,?,?,?,?,00000008,?,00000007,?,DirectX,?,Version,?,Version,?), ref: 6CBDC4D8
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBDC4F4
                                                                                    • FreeLibrary(), xrefs: 6CBDC4E5
                                                                                    • CFusion::~CFusion, xrefs: 6CBDC4EA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ErrorFreeLastLibrary_strrchr
                                                                                    • String ID: CFusion::~CFusion$FreeLibrary()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2808663981-2807337669
                                                                                    • Opcode ID: 10a8f1f249f195d2fa06daab1520288a4a3a373af69e17fc490d7c1102f9481e
                                                                                    • Instruction ID: b2a22139b404eb39c3ce5a96f3593dd60e0e8fd08f0a0cac66150b27dfa0b315
                                                                                    • Opcode Fuzzy Hash: 10a8f1f249f195d2fa06daab1520288a4a3a373af69e17fc490d7c1102f9481e
                                                                                    • Instruction Fuzzy Hash: 58D05E687612C266FE403AB14C4AB173A68AB10AADF5A0424F410E2886EA12FA009123
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBED391 Relevance: 6.1, APIs: 4, Instructions: 124COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __locking$__fileno__lseeki64
                                                                                    • String ID:
                                                                                    • API String ID: 3501863086-0
                                                                                    • Opcode ID: 08c932aac77af338b4549a6c8ca11e2c16cea0c7b5d1f42b0caa23405de8e08e
                                                                                    • Instruction ID: 6932b0621a75962a174ca9a6e5c7646c8b6fe68da46acea37de485bafbca0407
                                                                                    • Opcode Fuzzy Hash: 08c932aac77af338b4549a6c8ca11e2c16cea0c7b5d1f42b0caa23405de8e08e
                                                                                    • Instruction Fuzzy Hash: 5941E671100A809ED7208F79E841A5A77B4EF997B8B10C62DE8B98BBD0D7B4E9058B51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE9E01 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 6CBE9E18
                                                                                    • SendMessageA.USER32(00000000,00000401,00000000,?), ref: 6CBE9E36
                                                                                    • SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 6CBE9E42
                                                                                    • SendMessageA.USER32(00000000,00000404,00000001,00000000), ref: 6CBE9E4E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Item
                                                                                    • String ID:
                                                                                    • API String ID: 3888421826-0
                                                                                    • Opcode ID: e32233351207dc891fac831b33a43c6bdc64ea4628335c647315b13fb4f93f37
                                                                                    • Instruction ID: 830c9417b1db784b27cb364f0976ed2527ee19b15f7089d27e0b5d5ba77cc875
                                                                                    • Opcode Fuzzy Hash: e32233351207dc891fac831b33a43c6bdc64ea4628335c647315b13fb4f93f37
                                                                                    • Instruction Fuzzy Hash: CEE06D7178032436F620166A4C4AF6B3A6CD7C5FA1F14802AFB04FA1C1CAF5A80286A8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF1C2E Relevance: 4.6, APIs: 3, Instructions: 52COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00BFBBEF,6CBF3458,6CBF3458,?,6CBF1EBB,00BFBBEF,00000000,00000000,00000002,00000000,00000000), ref: 6CBF1C70
                                                                                    • GetLastError.KERNEL32(?,6CBF1EBB,00BFBBEF,00000000,00000000,00000002,00000000,00000000,00000002), ref: 6CBF1C7D
                                                                                    • __dosmaperr.LIBCMT ref: 6CBF1C88
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 2336955059-0
                                                                                    • Opcode ID: 29e8c450986c7fcfee07ff6cc64164723ff7dfd0d1aa5a1d06b9a32e3c338e46
                                                                                    • Instruction ID: 10d7bc126c026e3de703f829bc564e8c042524398799ea6a088aefc390987636
                                                                                    • Opcode Fuzzy Hash: 29e8c450986c7fcfee07ff6cc64164723ff7dfd0d1aa5a1d06b9a32e3c338e46
                                                                                    • Instruction Fuzzy Hash: 0A01C872A10185AFCF00CFD9DC5488D7BB9EB45364B294655F420EB380D770D9058760
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF5BD1 Relevance: 4.5, APIs: 3, Instructions: 45COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(00000000,00000109,00000000,6CBF3433,00004000,00000109,?,6CBF3433,00000109,00000000,00000000), ref: 6CBF5C00
                                                                                    • GetLastError.KERNEL32(?,6CBF3433,00000109,00000000,00000000), ref: 6CBF5C0D
                                                                                    • __dosmaperr.LIBCMT ref: 6CBF5C1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 2336955059-0
                                                                                    • Opcode ID: bbdc64929a670d1baa10f91ec2255159fd79592ef12d45663aed7ba9d0d7b1cc
                                                                                    • Instruction ID: d98035d7999ddd479c86925b70e156d953617815431641b4c6b120eb066ef44a
                                                                                    • Opcode Fuzzy Hash: bbdc64929a670d1baa10f91ec2255159fd79592ef12d45663aed7ba9d0d7b1cc
                                                                                    • Instruction Fuzzy Hash: BB01F4322145D49BCB000EFE9C14A8A3B68AB47374F154712F931CBBD1DB30D84D87A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEE95B Relevance: 3.1, APIs: 2, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __fileno.LIBCMT ref: 6CBEEA03
                                                                                    • __locking.LIBCMT ref: 6CBEEA0A
                                                                                      • Part of subcall function 6CBEE53D: __fileno.LIBCMT ref: 6CBEE56B
                                                                                      • Part of subcall function 6CBEE53D: __locking.LIBCMT ref: 6CBEE572
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fileno__locking
                                                                                    • String ID:
                                                                                    • API String ID: 2385650056-0
                                                                                    • Opcode ID: b38bcfd551dd446acf600f144ef1975b7976bc6a923d98c4559ce00ddf488865
                                                                                    • Instruction ID: a11455b5df7745c061f01da79e3c663afed5e0c3a2621522c987e4c9b8b8b22b
                                                                                    • Opcode Fuzzy Hash: b38bcfd551dd446acf600f144ef1975b7976bc6a923d98c4559ce00ddf488865
                                                                                    • Instruction Fuzzy Hash: 6D314C31600BC5EFDB14CFA9C48069E7BF5FF8ABA4F20952DE85597A40D770DA408B81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEAD75 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallFilterFunc@8__getstream
                                                                                    • String ID:
                                                                                    • API String ID: 2779671989-0
                                                                                    • Opcode ID: 1615c18c46c0a067240fdca1a7612685ffae41483a57425c6361fc62081d14a0
                                                                                    • Instruction ID: bbf9401d6d860f3ba677f982b2e69802bb72beec4ccba3ac578d179cb0b1732f
                                                                                    • Opcode Fuzzy Hash: 1615c18c46c0a067240fdca1a7612685ffae41483a57425c6361fc62081d14a0
                                                                                    • Instruction Fuzzy Hash: 7211C8B09041E5EFD710BFB4CC805DE7FB89F0EB98F158969D41097A80D77885489F92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEE53D Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fileno__locking
                                                                                    • String ID:
                                                                                    • API String ID: 2385650056-0
                                                                                    • Opcode ID: f34ee2353d581f99db61ec7ed969a26067ae195e629ff946469a8732c1a5b05c
                                                                                    • Instruction ID: b69717b093b82e8f95e3355293692bcb2e8f5551b51472befe4a1f4f1f2df015
                                                                                    • Opcode Fuzzy Hash: f34ee2353d581f99db61ec7ed969a26067ae195e629ff946469a8732c1a5b05c
                                                                                    • Instruction Fuzzy Hash: 7D01F732204BC05FD7104A6DC880A9BB7E9DF887B8F108A1DE4B987A80E765EC448691
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEA12F Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 6CBEA15D
                                                                                    • EndDialog.USER32(?,00000000), ref: 6CBEA17F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DialogWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2634769047-0
                                                                                    • Opcode ID: e52995a3e796348c475dbe93b8caed7342a1ab0c804c330ddf423ab517861e76
                                                                                    • Instruction ID: ac5f5975fd76ab8c65c1f555614c7729c93f17b34b280f9373223af35ac6d4c5
                                                                                    • Opcode Fuzzy Hash: e52995a3e796348c475dbe93b8caed7342a1ab0c804c330ddf423ab517861e76
                                                                                    • Instruction Fuzzy Hash: ABF08231641154AFD7108F56D808EBB7BBDEB8BBA5F054025F524C7650D3709801CF92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBED037 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6CBEA523,00000001), ref: 6CBED04C
                                                                                    • HeapDestroy.KERNEL32(?,6CBEA523,00000001), ref: 6CBED083
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$CreateDestroy
                                                                                    • String ID:
                                                                                    • API String ID: 3296620671-0
                                                                                    • Opcode ID: 260d7009f5e99a9a0a31916c89d8d8b349f9acd629236f7904797f417147ceed
                                                                                    • Instruction ID: f40be978767a7dee96366c449cd83d206d22f6aa80ff5fca76c5a6d0ef9fb11a
                                                                                    • Opcode Fuzzy Hash: 260d7009f5e99a9a0a31916c89d8d8b349f9acd629236f7904797f417147ceed
                                                                                    • Instruction Fuzzy Hash: B3F0A031788380AAEF106B71B8057563ABCE78ABDAF188425E418C6541EBB09155CE05
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEAA10 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock
                                                                                    • String ID:
                                                                                    • API String ID: 4232755567-0
                                                                                    • Opcode ID: 6720ea87a5f9a09ee11495e43d5060c205233d35dff64aa982583c8a387a729d
                                                                                    • Instruction ID: e86e5862e835406a86cbfa7ad030f42af9fd6b152a19c61ffccd1d09f916d646
                                                                                    • Opcode Fuzzy Hash: 6720ea87a5f9a09ee11495e43d5060c205233d35dff64aa982583c8a387a729d
                                                                                    • Instruction Fuzzy Hash: B7F0C2708003D09AC711AF7989006DE7FB49F89BB8F119749D438A6AD0C77C46069F56
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC80F Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __calloc_impl
                                                                                    • String ID:
                                                                                    • API String ID: 2175177749-0
                                                                                    • Opcode ID: 6bc0eed9ca1301c1c806570c5c14b31f498a1e2defb2505aa1be8d54acaea466
                                                                                    • Instruction ID: 5ad21938a61df687e0d1cba20b6b5021ab93e6769442f3ded9e24a3d8f3aa1c5
                                                                                    • Opcode Fuzzy Hash: 6bc0eed9ca1301c1c806570c5c14b31f498a1e2defb2505aa1be8d54acaea466
                                                                                    • Instruction Fuzzy Hash: 11E092B6611194BBCB116A99D901AEE3BADEF88AE9F250061AC04E7604D774DE0487E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 6CBDEA87 Relevance: 61.6, APIs: 7, Strings: 28, Instructions: 339COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBDEAE2
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDEAEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorLastSystem
                                                                                    • String ID: %d.%02d.%02d.%04d.%d$BDA4*.CAT$Catalog name too long, %s.$CatalogFile$DX%s.CAT$DX4*.CAT$DirectXUpdateInstall$GetPrivateProfileString()$GetsystemDirectory()$InstCatWin() failed. Certificate, catalog file and module need to be checked.$InstallCatalogFile$InstallCatalogFile(): installing %s ...$Unable to create catalog name, %s%s.$Unable to create catalog name, %sD.$Unable to create catalog name, %seng.$Unable to create catalog name, %sengD.$Unable to create path string, %s%s.$Unable to create path string, %s\%s.$Unable to create path string, %s\.$Unable to get catalog name, Inf: %s.$Version$Warning: InstallCatalogFile: DeleteOldCatalogFile() returns 0, continue...$\ddraw.dll$\dinput8d.dll$\msyuv.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$eng$engD
                                                                                    • API String ID: 3081803543-1549923111
                                                                                    • Opcode ID: 28d48bd7fa89603a8410d1f0ec653e2a2bd0557793034980a6a5814a78562518
                                                                                    • Instruction ID: 61ca1297c8614398c9889332157d811a872c57bb8bbc1a904897c2801326a96e
                                                                                    • Opcode Fuzzy Hash: 28d48bd7fa89603a8410d1f0ec653e2a2bd0557793034980a6a5814a78562518
                                                                                    • Instruction Fuzzy Hash: C0B165B59452E9B6DB60DBA18C44EDFBABCDF45364F060591F508E2940EB30FA848EE1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE2D36 Relevance: 59.9, APIs: 6, Strings: 28, Instructions: 383registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBE2209: _memset.LIBCMT ref: 6CBE224D
                                                                                      • Part of subcall function 6CBE2209: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBE2262
                                                                                      • Part of subcall function 6CBE2209: GetLastError.KERNEL32(00000000,?,\mdxredist.msi,00000000), ref: 6CBE226D
                                                                                      • Part of subcall function 6CBE1F44: _memset.LIBCMT ref: 6CBE1F7A
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\.NETFramework\AssemblyFolders,00000000,00020007,?,?,{B4C88CF0-B617-4658-8F84-C4E847FBC9F7},?,ProductCode,?,?), ref: 6CBE2F38
                                                                                    • RegOpenKeyExA.ADVAPI32(?,ManagedDX,00000000,00000001,?), ref: 6CBE2F5C
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 6CBE2F89
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBE2F9B
                                                                                    • RegDeleteKeyA.ADVAPI32(?,ManagedDX), ref: 6CBE3019
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBE3094
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                      • Part of subcall function 6CBDBBDC: _strrchr.LIBCMT ref: 6CBDBBF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen__wstrtime_memset_strrchr$DeleteDirectoryErrorLastQuerySystemValue
                                                                                    • String ID: DirectXUpdateInstall$GetMDXProductVersion() failed.$GetMDXVersion() failed.$InstallMDX$InstallMDX(): MDX: %d.%02d.%02d.%04d, Update:%d.%02d.%02d.%04d$InstallMDX(): Unable to remove [%s\%s], result = %d.$InstallMDX(): installing MDX 9.1...$InstallMDX(): removing MDX 9.0 reference files...$InstallMDX(): unable to find %s.$InstallMDX(): uninstalling MDX 9.0...$InstallMDX(): updating MDX 9.1...$InstallMDX(): updating MDX...$ManagedDX$MsiConfigureProductEx()$MsiInstallProduct()$ProductCode$REINSTALL=ALL REINSTALLMODE=aumv$RegCloseKey()$RegOpenKeyEx()$RegQueryValueEx()$Software\Microsoft\.NETFramework\AssemblyFolders$Unable to create path string, %s%s.$Unable to initialize CDXMsi.$VersionString$\mdxredist.msi$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp${7F34A21F-2DEB-4598-BB19-611D6BD24271}${B4C88CF0-B617-4658-8F84-C4E847FBC9F7}
                                                                                    • API String ID: 2153593905-857003154
                                                                                    • Opcode ID: 59d133681a60c1ebc4b9d55f9caf04137ceb31d515810a0f06a97f6b8fab5dc9
                                                                                    • Instruction ID: fa6425c113cbef79a5ebf179f01387e0da4d8456f847cf2e185c4a9f480903c7
                                                                                    • Opcode Fuzzy Hash: 59d133681a60c1ebc4b9d55f9caf04137ceb31d515810a0f06a97f6b8fab5dc9
                                                                                    • Instruction Fuzzy Hash: ADD1D4B59002E97BDB219B608C85FEE76BCDB0CB54F510599F508E3941DB30AF88CB66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE0CB3 Relevance: 58.2, APIs: 6, Strings: 27, Instructions: 413COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000000,?,?,\dsetup.dll), ref: 6CBE0D66
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE0D71
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastModuleName
                                                                                    • String ID: $CopyCount$DXUpdate$DestinationDirs$DirectXUpdateGetSetupInformation$DirectXUpdateGetSetupInformation(): DXGetFileVersion() failed, file: %s.$DirectXUpdateGetSetupInformation(): DirectX Version: %d.%02d.%02d.%04d.%d$DirectXUpdateGetSetupInformation(): Section [%d.%02d.%02d.%04d.%d-%d.%02d.%02d.%04d.%d_%s] is being installed.$DirectXUpdateGetSetupInformation(): Section [%d.%02d.%02d.%04d.%d-%d.%02d.%02d.%04d.%d_%s_%s] is being installed.$DirectX_Update$DirectX_Update_PlugIn$GetDXVersion() failed.$GetModuleFileName()$GetSectionNamesFromInf() failed.$Invalid parameter.$MDXDLLs$NumberOfFiles$Size$SourceDisksFiles$SourceDisksNames$StringToVersionInfo() failed, version = %s.$Strings$Unable to create path string, %s\dsetup.dll.$Unable to load section list from %s.$Version$\dsetup.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2776309574-2123207260
                                                                                    • Opcode ID: 302816032b194696b6b1ad7edae3fae0a829b07c027c0d4bab13fbd1e0f7535e
                                                                                    • Instruction ID: b8be33ed19c433c85e6887a2c1c71739e23b62cdd1bea66e54d88a0e11ffc568
                                                                                    • Opcode Fuzzy Hash: 302816032b194696b6b1ad7edae3fae0a829b07c027c0d4bab13fbd1e0f7535e
                                                                                    • Instruction Fuzzy Hash: DEE1E5759002E8AADF218B548C40FEE7778EF0D754F150195F808F6991DB31EA88DFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDFB07 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 232filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDFB3E
                                                                                    • _memset.LIBCMT ref: 6CBDFBA9
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,6CBD12F4,dxupdate.inf,?,00000000,?), ref: 6CBDFBBD
                                                                                    • _memset.LIBCMT ref: 6CBDFBFC
                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,\*.*,?,00000000,?,?,\Microsoft.NET\DirectX for Managed Code), ref: 6CBDFCA8
                                                                                    • lstrcmpA.KERNEL32(?,6CBD4608), ref: 6CBDFCD3
                                                                                    • lstrcmpA.KERNEL32(?,6CBD4604), ref: 6CBDFCED
                                                                                    • GetFileAttributesA.KERNEL32(?,?,?,6CBD12F4,?), ref: 6CBDFD29
                                                                                    • GetLastError.KERNEL32 ref: 6CBDFD34
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    • FindNextFileA.KERNEL32(?,?), ref: 6CBDFDAB
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDFBC8
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • FindClose.KERNEL32(?), ref: 6CBDFE1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind_memset$ErrorLast__wstrtimelstrcmp$AttributesCloseDirectoryFirstFormatFreeLocalMessageNextWindows_strrchr
                                                                                    • String ID: GetFileAttributes()$GetWindowsDirectory()$IsMDXDevInUse$MDXDLLs$Unable to create path string, %s%s.$Unable to create path string, %s\%s.$Unable to create path string, %s\*.*.$Unable to create path string, %s\.$\*.*$\Microsoft.NET\DirectX for Managed Code$dxupdate.inf$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 3616435459-4245276639
                                                                                    • Opcode ID: 2c18efa7a1d92ff47a3547776d596bab0d18ec50b748a012405bfde40493c1ef
                                                                                    • Instruction ID: 5678560194bdfad70b1736322e24476d90ab1d2571fd009061378c6b679c67da
                                                                                    • Opcode Fuzzy Hash: 2c18efa7a1d92ff47a3547776d596bab0d18ec50b748a012405bfde40493c1ef
                                                                                    • Instruction Fuzzy Hash: D17183B59052DCAADB10DBA08C44EEF777DDB49368F0605A1F519E2941EB30BF888F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBD9BC1 Relevance: 42.2, APIs: 6, Strings: 18, Instructions: 200windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                    • __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9A8B: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 6CBD9AC1
                                                                                      • Part of subcall function 6CBD9A8B: OutputDebugStringA.KERNEL32(DXSETUP_DPF(): Unable to open log file.,00000000,00000000), ref: 6CBD9AD0
                                                                                      • Part of subcall function 6CBD9A8B: CreateDirectoryA.KERNEL32(?,00000000), ref: 6CBD9B10
                                                                                      • Part of subcall function 6CBD9A8B: GetLastError.KERNEL32 ref: 6CBD9B1A
                                                                                    • _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CBD9D7E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorLast__wstrtime$CreateDebugFormatFreeLocalMessageOutputStringWindows_strrchr
                                                                                    • String ID: $ Error:$ Failed API:%s$ File in process:$ - $ module: %s(%s), file: %s, line: %d, function: %s$%s(): %s$%s(): %s failed, error = %d.$%s(): %s failed, error = 0x%x.$%s(): %s failed.$(%d)$(0x%x)$--------------------$DXSError(): FormatMessage() failed, error = %d.$DXSError(): FormatMessage() failed, system cannot find message text for error.$Mar 30 2011$[%s %s]$dxupdate
                                                                                    • API String ID: 3982051927-3131141717
                                                                                    • Opcode ID: dd9cb3c42111936cafaf28056a539de4b2846843c1624abe9e15307cad24dbb3
                                                                                    • Instruction ID: bcb1d9a76a2b4081eb2bd62e2b1e7d540e8ce34b8c993a627010e75d5a2718d4
                                                                                    • Opcode Fuzzy Hash: dd9cb3c42111936cafaf28056a539de4b2846843c1624abe9e15307cad24dbb3
                                                                                    • Instruction Fuzzy Hash: 3661D772D00299ABDF15AEA0CC95EDE377CDB44269F060196F51997A00DF31FA488FA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDE7AF Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 209fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDE812
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBDE831
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDE83C
                                                                                    • StringFromGUID2.OLE32(F750E6C3,?,00000104), ref: 6CBDE875
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000104,00000000,00000000), ref: 6CBDE8A4
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDE8AF
                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,?,6CBDEE51), ref: 6CBDE9C9
                                                                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00000001), ref: 6CBDEA3A
                                                                                    • FindClose.KERNEL32(00000000,?,?,00000000,?,00000000,00000001), ref: 6CBDEA65
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$ErrorFileLast__wstrtime$ByteCharCloseDirectoryFirstFromMultiNextStringSystemWide_memset_strrchr
                                                                                    • String ID: DX%s.CAT$DeleteOldCatalogFile$DeleteOldCatalogFile(): removing %s...$GetsystemDirectory()$InstCatWin() failed.$StringCchPrintf()$StringFromGUID2()$Unable to create path string, %s%s%s.$Unable to create path string, %s\sfp\tempcats\%s.$Unable to create path string, \CATROOT\%s\.$WideCharToMultiByte()$\CATROOT\%s\$\sfp\tempcats\$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 3317173840-3190328117
                                                                                    • Opcode ID: c3fabd33e37b717eb1aa67365a149ed37d77c9a200eac81665634a5d2474093f
                                                                                    • Instruction ID: 2f6395b5e324ba2c9ebb4b58e2f47b5e27a92b452a238f5ff66daf63f967bcbc
                                                                                    • Opcode Fuzzy Hash: c3fabd33e37b717eb1aa67365a149ed37d77c9a200eac81665634a5d2474093f
                                                                                    • Instruction Fuzzy Hash: F561D9B6D042DCBADB109BA08C84EEF777CEB45354F0605A5F509E2941EB31BE844FA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDF070 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strnlen.LIBCMT ref: 6CBDF104
                                                                                    • CharLowerA.USER32(?,?,00000104,?,?,?,?,?,75A9B4B0,?), ref: 6CBDF129
                                                                                    • _strnlen.LIBCMT ref: 6CBDF202
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime_strnlen$CharLower_strrchr
                                                                                    • String ID: ;$GetInfAndSection$LoadListFromInfSection() failed.$Unable to load list from %s:[%s].$copycount$dependencies$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$malloc()$numberoffiles$size$targetbuildnumber
                                                                                    • API String ID: 3123729947-1907312236
                                                                                    • Opcode ID: e135799a6be1c43e72001e3ae01c33628a4d99a74df4b10aaf9d99e557eaf8d9
                                                                                    • Instruction ID: 43e5ce0df9f415bb758a92c9ccf08e7479246c1beb46771c8081467af98c5f95
                                                                                    • Opcode Fuzzy Hash: e135799a6be1c43e72001e3ae01c33628a4d99a74df4b10aaf9d99e557eaf8d9
                                                                                    • Instruction Fuzzy Hash: 84A1F63680C29A6ADB248B69DC41FDF77BCDF09378F1205A6E554E2940EF70BAC48E54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE097D Relevance: 37.0, APIs: 7, Strings: 14, Instructions: 222COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE09D0
                                                                                    • _memset.LIBCMT ref: 6CBE09E4
                                                                                    • GetPrivateProfileStringA.KERNEL32(?,Dependencies,6CBD311C,?,00000104,?), ref: 6CBE0A16
                                                                                    • _strrchr.LIBCMT ref: 6CBE0B07
                                                                                    • GetPrivateProfileStringA.KERNEL32(?,TargetBuildNumber,6CBD311C,?,00000104,?), ref: 6CBE0B7D
                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBE0C1F
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBE0C74
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBE0AB6, 6CBE0C8A
                                                                                    • CheckDependency, xrefs: 6CBE0AAC, 6CBE0C80
                                                                                    • CheckDependency(): no dependency., xrefs: 6CBE0AE8
                                                                                    • CheckDependency(): supported build number: %d - %d., xrefs: 6CBE0BD9
                                                                                    • CheckDependency(): build %d is not supported, this Plug-In is not installed., xrefs: 6CBE0C43
                                                                                    • GetVersionEx(), xrefs: 6CBE0C7B
                                                                                    • TargetBuildNumber, xrefs: 6CBE0B6C
                                                                                    • Dependencies, xrefs: 6CBE0A05
                                                                                    • CheckDependency(): supported build number is not checked for this Plug-In., xrefs: 6CBE0BEE
                                                                                    • CheckDependency(): supported build number: %d - ., xrefs: 6CBE0C02
                                                                                    • Unable to create path string, %s\%s., xrefs: 6CBE0AA5
                                                                                    • CheckDependency(): build %d is supported., xrefs: 6CBE0C65
                                                                                    • , , xrefs: 6CBE0A31, 6CBE0ACA
                                                                                    • CheckDependency(): %s does not exist, this Plug-In is not installed., xrefs: 6CBE0A85
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileString_memset$ErrorLastVersion_strrchr
                                                                                    • String ID: , $CheckDependency$CheckDependency(): %s does not exist, this Plug-In is not installed.$CheckDependency(): build %d is not supported, this Plug-In is not installed.$CheckDependency(): build %d is supported.$CheckDependency(): no dependency.$CheckDependency(): supported build number is not checked for this Plug-In.$CheckDependency(): supported build number: %d - %d.$CheckDependency(): supported build number: %d - .$Dependencies$GetVersionEx()$TargetBuildNumber$Unable to create path string, %s\%s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 4223943085-915270717
                                                                                    • Opcode ID: 2cd93d075e03d41ecce8987faaf076015d68901cc21a17708e48599344aef367
                                                                                    • Instruction ID: 99a4c9a720ca6f7a8a42c3c73e0a6b1c2f149450a3215894f3368863ca4ecc6a
                                                                                    • Opcode Fuzzy Hash: 2cd93d075e03d41ecce8987faaf076015d68901cc21a17708e48599344aef367
                                                                                    • Instruction Fuzzy Hash: 8E71B276D012E9AFDB209B609C84EDE7BBCEB09754F1104D6E04CA2A41DF30AEC49F12
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDD86D Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 218fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(6CBF9DB0,00000104,6CBE472C,00000000,CMDXInstall::Install,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBDD8AD
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDD8B8
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • _strrchr.LIBCMT ref: 6CBDD91D
                                                                                    • FindFirstFileA.KERNEL32(6CBE472C,?,6CBE472C,6CBE472C,00000000,CMDXInstall::Install,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBDDAF5
                                                                                    • FindClose.KERNEL32(00000000), ref: 6CBDDB07
                                                                                    • FindFirstFileA.KERNEL32(858D5330,?), ref: 6CBDDB13
                                                                                    • FindClose.KERNEL32(00000000), ref: 6CBDDB1F
                                                                                    Strings
                                                                                    • Unable to create path string, %s%s., xrefs: 6CBDD95B
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBDD883, 6CBDD8CE, 6CBDD96E
                                                                                    • Unable to get Version on target file %s, xrefs: 6CBDD9D4
                                                                                    • Currently %s is newer than the one being installed., xrefs: 6CBDDB31
                                                                                    • \RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}, xrefs: 6CBDD8EF, 6CBDD955
                                                                                    • GetWindowsDirectory(), xrefs: 6CBDD8BF
                                                                                    • Skipped file %s, xrefs: 6CBDD944
                                                                                    • Target file: '%s' Target file is Version %d.%d.%d.%dSource file is Version %d.%d.%d.%d, xrefs: 6CBDDA59
                                                                                    • %s have been installed already., xrefs: 6CBDDB69
                                                                                    • CMDXInstall::Install, xrefs: 6CBDD887
                                                                                    • CheckVersions, xrefs: 6CBDD8C4, 6CBDD964
                                                                                    • Unable to get Version on source file %s, xrefs: 6CBDD9F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst__wstrtime_strrchr$DirectoryErrorLastWindows
                                                                                    • String ID: %s have been installed already.$CMDXInstall::Install$CheckVersions$Currently %s is newer than the one being installed.$GetWindowsDirectory()$Skipped file %s$Target file: '%s' Target file is Version %d.%d.%d.%dSource file is Version %d.%d.%d.%d$Unable to create path string, %s%s.$Unable to get Version on source file %s$Unable to get Version on target file %s$\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2366300620-2040491264
                                                                                    • Opcode ID: 374a30dc087c971ed52c879a8f686168d60deeb7b0f21e46ab2486ffad0c7946
                                                                                    • Instruction ID: 53a5fbd9247d93fd89762cfd66a4842fa264a24f70f656f5418770d7a5a0449b
                                                                                    • Opcode Fuzzy Hash: 374a30dc087c971ed52c879a8f686168d60deeb7b0f21e46ab2486ffad0c7946
                                                                                    • Instruction Fuzzy Hash: 2B71F634A042D9ABDB219A74EC40FAE77BCDB01328F120595E9C9A3981D736B9C0CF31
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDE634 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 110libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,00000104,?,?,00000000), ref: 6CBDE69E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDE6A9
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 6CBDE6EA
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDE6F5
                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 6CBDE713
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDE740
                                                                                    • GetLastError.KERNEL32 ref: 6CBDE76C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$AddressDiskFreeHandleModuleProcSpace
                                                                                    • String ID: DXGetDiskFreeSpace$DXGetDiskFreeSpace(): Unable to find GetDiskFreeSpaceEx(), (%d). Use GetDiskFreeSpace()$GetDiskFreeSpace()$GetDiskFreeSpaceEx()$GetDiskFreeSpaceExA$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$kernel32.dll
                                                                                    • API String ID: 3160920872-3630560494
                                                                                    • Opcode ID: 5697910200b9087760fc627347408bd511eb68fbf7edd5ae46790aa3baaebe0b
                                                                                    • Instruction ID: 11507149d2d368f18461b6d3ec894ae27d0934075728ec514d22d323ba50617d
                                                                                    • Opcode Fuzzy Hash: 5697910200b9087760fc627347408bd511eb68fbf7edd5ae46790aa3baaebe0b
                                                                                    • Instruction Fuzzy Hash: 5341C476A00299ABDB14DFA0CC95DDEB7BCEB18310F054499F245E3581DA30FA848FA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC01B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDC07A
                                                                                    • GetPrivateProfileStringA.KERNEL32(DirectX_Attributes,PNP_DEVICE_ID,6CBD311C,?,00000104,00DEDAC8), ref: 6CBDC0A5
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$PrivateProfileString_memset_strrchr
                                                                                    • String ID: CSetupAPI is not initialized.$DirectX_Attributes$GetPrivateProfileString()$Inf: %s, Section: %s, Entry: PNP_DEVICE_ID$PNP_DEVICE_ID$Unable to get hardware ID.$UpdatePnPDrv$UpdatePnPDrv(): INF:%s ID:%s.$UpdateUnpluggedPnpDrv() failed.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 3478578772-3059308929
                                                                                    • Opcode ID: 3ff7f345add58e7c919c5627c49880a8cd89ff22cf7484306c95081ff1e7226e
                                                                                    • Instruction ID: 2b4d2d22264c3085bb5460fea4a10756da90bdc549195eca00b830fde06e1cca
                                                                                    • Opcode Fuzzy Hash: 3ff7f345add58e7c919c5627c49880a8cd89ff22cf7484306c95081ff1e7226e
                                                                                    • Instruction Fuzzy Hash: 432108BAD442D97BE710AA649C82FEE777CC715318F470461F544B3A41EA607E8446A2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF62CB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135memorylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __get_wpgmptr.LIBCMT ref: 6CBF62E9
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 6CBF6314
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 6CBF632C
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CBF6355
                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6CBF6365
                                                                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 6CBF63EC
                                                                                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 6CBF63FF
                                                                                      • Part of subcall function 6CBEE1C7: OutputDebugStringA.KERNEL32(Invalid parameter passed to C runtime function.), ref: 6CBEE25B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AddressAllocDebugHandleInfoModuleOutputProcProtectQueryStringSystem__get_wpgmptr
                                                                                    • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                    • API String ID: 2401657611-423161677
                                                                                    • Opcode ID: e5d5d47e18e0432becab4f0dd46c97a3c0660e74b915dada70efdb61de366c1b
                                                                                    • Instruction ID: 95e3656687796ce8fd8799f2b533b60d8f0f2c5afe4c215899f3c6fce884c701
                                                                                    • Opcode Fuzzy Hash: e5d5d47e18e0432becab4f0dd46c97a3c0660e74b915dada70efdb61de366c1b
                                                                                    • Instruction Fuzzy Hash: CD41B072E00258BBDF00DFA5CC849EEBBB9EF45714F140465E921E7640E770E64ACB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDD792 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStringA.KERNEL32(MDX,Version,6CBD311C,?,00000104,?), ref: 6CBDD7D2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$PrivateProfileString_strrchr
                                                                                    • String ID: GetMDXCifVersion$GetPrivateProfileString()$MDX$StringToVersionInfo() failed, version = %s.$Unable to get MDX version from CIF.$Version$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2523604036-1635775825
                                                                                    • Opcode ID: fc94a87958b959c22e680859d0798e83b456d2acffea887c19e70a7de41b7368
                                                                                    • Instruction ID: 701a51f55c61b3a7e369a843a3d10a77e6ae6a4e73f160d35fc73702774c176c
                                                                                    • Opcode Fuzzy Hash: fc94a87958b959c22e680859d0798e83b456d2acffea887c19e70a7de41b7368
                                                                                    • Instruction Fuzzy Hash: 2C1106B99042C8BEE710AA74DC41EDA7BBCDB05319F4648A5E4C5E7902E671FDC48B21
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF5A16 Relevance: 9.2, APIs: 6, Instructions: 156memoryfileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBF1C2E: SetFilePointer.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00BFBBEF,6CBF3458,6CBF3458,?,6CBF1EBB,00BFBBEF,00000000,00000000,00000002,00000000,00000000), ref: 6CBF1C70
                                                                                      • Part of subcall function 6CBF1C2E: GetLastError.KERNEL32(?,6CBF1EBB,00BFBBEF,00000000,00000000,00000002,00000000,00000000,00000002), ref: 6CBF1C7D
                                                                                      • Part of subcall function 6CBF1C2E: __dosmaperr.LIBCMT ref: 6CBF1C88
                                                                                    • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D,00000109,00000000), ref: 6CBF5A7F
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D,00000109,00000000), ref: 6CBF5A86
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D), ref: 6CBF5B02
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D,00000109), ref: 6CBF5B09
                                                                                    • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D), ref: 6CBF5B64
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,6CBF321D,00000109), ref: 6CBF5B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$ErrorFileLastProcess$AllocFreePointer__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 3789379547-0
                                                                                    • Opcode ID: 88738d9d5f80fca6f8c01a05aff380c47b6a29a30cb96e4ce2a41c0e296c2ebf
                                                                                    • Instruction ID: 478d7154b59684794e947f0c6792ba700f9d3e1139f96d48493badc7ea2ccf83
                                                                                    • Opcode Fuzzy Hash: 88738d9d5f80fca6f8c01a05aff380c47b6a29a30cb96e4ce2a41c0e296c2ebf
                                                                                    • Instruction Fuzzy Hash: FF41F272A00199AFDF101FF8CC8469D3B75EB05368F15C625F834A7BA0D734896E8B96
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEAE6A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CBEF065
                                                                                    • UnhandledExceptionFilter.KERNEL32(6CBD861C), ref: 6CBEF070
                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 6CBEF07B
                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 6CBEF082
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 3231755760-0
                                                                                    • Opcode ID: e3a3a1d8cfac3e0aea73e78137d3545477f9e7351814cb9bb843411dacd4071d
                                                                                    • Instruction ID: 5fc478ee6849a5cebb34ed9ef0fe41f5ca7f34f0ff9721fc1ec43b1a47b1c7cc
                                                                                    • Opcode Fuzzy Hash: e3a3a1d8cfac3e0aea73e78137d3545477f9e7351814cb9bb843411dacd4071d
                                                                                    • Instruction Fuzzy Hash: 0121EFB8B81344DFCF08DF69F0886483BB8FB0B314B02611AE92883710E375AA84CF45
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEACA5 Relevance: 1.6, APIs: 1, Instructions: 78timeCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?,00000000,00000000,?,?), ref: 6CBEACD3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTime
                                                                                    • String ID:
                                                                                    • API String ID: 481472006-0
                                                                                    • Opcode ID: c6b29acacbe24564e164ab20a16c88e5d3e62f88973177ad72d64d9a6e2d2831
                                                                                    • Instruction ID: c1c3d1dded74f967f0cbd0376dcd321266f9259dc01b45fb009105b9e1cbb324
                                                                                    • Opcode Fuzzy Hash: c6b29acacbe24564e164ab20a16c88e5d3e62f88973177ad72d64d9a6e2d2831
                                                                                    • Instruction Fuzzy Hash: 84115C263053D09BC3206AAD54D02DA7FF59F2A664F18C46EF0D547782C275980DCB62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBED200 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: csm
                                                                                    • API String ID: 0-1018135373
                                                                                    • Opcode ID: beb0a676d1ab0d9558430fc7f8692185a30e7f190c3426a76ef339ec543dd0b9
                                                                                    • Instruction ID: b0affeade45c73457299b5725899ec77003b46f947822d408feca564c6763c54
                                                                                    • Opcode Fuzzy Hash: beb0a676d1ab0d9558430fc7f8692185a30e7f190c3426a76ef339ec543dd0b9
                                                                                    • Instruction Fuzzy Hash: 9C51A5306002858FDB14CF69D490AAEB7B1FFC9B68F24C56DD8269B791CB71E845CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE32B3 Relevance: 56.4, APIs: 3, Strings: 29, Instructions: 391COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE32E9
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 6CBE333B
                                                                                    • GetLastError.KERNEL32(00000000,?,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBE3346
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorLastSystem_memset_strrchr
                                                                                    • String ID: DirectXUpdateInstall$GetsystemDirectory()$InstallMSI$InstallMSI(): %s have been installed already.$InstallMSI(): %s is installed.$InstallMSI(): %s is updated.$InstallMSI(): MsiGetProductName() returned %d.$InstallMSI(): Product: %s, Installed:<%d.%02d.%02d.%04d>, Update:<%d.%02d.%02d.%04d>$InstallMSI(): installing MDX...$InstallMSI(): newer version of %s have been installed already.$InstallMSI(): unable to find msi.dll.$InstallMSI(): updating MDX...$MsiConfigureProductEx()$MsiGetProductInfo()$MsiGetProductProperty()$MsiInstallProduct()$ProductCode$ProductName$ProductVersion$REINSTALL=ALL REINSTALLMODE=aumv$StringToVersionInfo() failed, version = %s.$StringToVersioninfo() failed, version = %s.$Unable to find %s.$Unable to get product code from %s.$Unable to get product version from %s$Unable to initialize CDXMsi.$VersionString$\msi.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 419038105-3012496545
                                                                                    • Opcode ID: 9588543a7759bcf9bb3bf7040aa700bd8451f1745c51126ebe9790b3c34bd958
                                                                                    • Instruction ID: 3ca45d2a9445ffeec47aeff4881fdbfc8e1e749e17d5e99f3363866103b70fbf
                                                                                    • Opcode Fuzzy Hash: 9588543a7759bcf9bb3bf7040aa700bd8451f1745c51126ebe9790b3c34bd958
                                                                                    • Instruction Fuzzy Hash: 3DC109F58042D97FEB205E908C80FFF72BDDB48768F110596F504A3941DB31BE988A26
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE581F Relevance: 52.8, APIs: 8, Strings: 22, Instructions: 326stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,6CBF9880,DirectXUpdateInstall,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBE588E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE5899
                                                                                      • Part of subcall function 6CBDB06F: CharNextA.USER32(?,00000104,?,6CBE3CF3,6CBF9880,6CBF9880,00000104,?,?,00000000,?,?,dxupdate.cab), ref: 6CBDB082
                                                                                    • _memset.LIBCMT ref: 6CBE5946
                                                                                    • lstrcmpA.KERNEL32(?,DefaultInstall), ref: 6CBE595F
                                                                                    • _strrchr.LIBCMT ref: 6CBE59F2
                                                                                    • _strrchr.LIBCMT ref: 6CBE5A11
                                                                                    • _strnlen.LIBCMT ref: 6CBE5A28
                                                                                      • Part of subcall function 6CBDD09A: GetWindowsDirectoryA.KERNEL32(?,00000104,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp), ref: 6CBDD0BF
                                                                                      • Part of subcall function 6CBDD09A: GetLastError.KERNEL32(00000000), ref: 6CBDD0CA
                                                                                      • Part of subcall function 6CBE253A: GetLastError.KERNEL32 ref: 6CBE269F
                                                                                    • GetLastError.KERNEL32(Unable to iterate through %s. The file may be damaged.,00000000), ref: 6CBE5C36
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strrchr$Directory__wstrtime$CharCurrentNextWindows_memset_strnlenlstrcmp
                                                                                    • String ID: $, $DefaultInstall$DirectXUpdateInstall$ExecuteCab$ExecuteCab(): Installing:%s$ExecuteCab(): Installing:%s - [%s]$ExecuteInf() failed.$GetCurrentDirectory()$GetInfAndSection() failed.$Inf and section are not valid.$MDXDLLs$MDXInstall::Install() failed.$SetupIterateCabinet()$Unable to create path string, %s\%s.$Unable to find '.'.$Unable to find '\'.$Unable to initialize CSetupAPI.$Unable to initialize MDXInstall.$Unable to iterate through %s. The file may be damaged.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$inf
                                                                                    • API String ID: 3877836308-1548703517
                                                                                    • Opcode ID: aeebff988f7dafd4f83ed4d084cf47393a944a6a6b6dfea73c136fa3fc65447a
                                                                                    • Instruction ID: e93109b3a15fb3c308b73e733d899034e00b6f04680f5008453ef00c11367a63
                                                                                    • Opcode Fuzzy Hash: aeebff988f7dafd4f83ed4d084cf47393a944a6a6b6dfea73c136fa3fc65447a
                                                                                    • Instruction Fuzzy Hash: 88B175F5D00299AADB209F608C90FDD777CEB08758F5155E5F608A2A41DB30AE88CF69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDAC14 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 231fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDAC50
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBDAC64
                                                                                    • DeleteFileA.KERNEL32(?,?,00000000,?,?,\sfp\tempcats\,?), ref: 6CBDAD14
                                                                                    • GetLastError.KERNEL32(Unable to remove %s.,?), ref: 6CBDAD2E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDAC6F
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,\sfp,?,?,6CBF9880), ref: 6CBDADC9
                                                                                    • GetLastError.KERNEL32 ref: 6CBDADDE
                                                                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,\sfp\tempcats), ref: 6CBDAE3B
                                                                                    • GetLastError.KERNEL32 ref: 6CBDAE45
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Directory$Create__wstrtime$DeleteFileSystem_memset_strrchr
                                                                                    • String ID: CopyFile()$CreateDirectory()$DX%s.CAT$DeleteFile()$GetSystemDirectory()$InstCatWin9X$InstCatWin9X(): deleting catalog file...$InstCatWin9X(): installing catalog file...$Unable to copy %s to %s.$Unable to create path string, %s%s.$Unable to create path string, %s\sfp.$Unable to create path string, %s\sfp\tempcats.$Unable to create path string, %s\sfp\tempcats\%s.$Unable to find %s.$Unable to remove %s.$\sfp$\sfp\tempcats$\sfp\tempcats\$e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp
                                                                                    • API String ID: 1023852320-3800338692
                                                                                    • Opcode ID: 44883fa4ecbc5cd0139db89a7a6725ff40dba0446ca3798ae1c5151cf9def300
                                                                                    • Instruction ID: 338cab6b194ec1440ba0061ec069b70067e189f9aaba4e33eb3ad4d3ec6ade56
                                                                                    • Opcode Fuzzy Hash: 44883fa4ecbc5cd0139db89a7a6725ff40dba0446ca3798ae1c5151cf9def300
                                                                                    • Instruction Fuzzy Hash: A67188B9A4129DBBDB11DAE18C84EDB777CDB04378F0A0992B515E2811FA70FE844F21
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDFF6F Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBDA2E4: _vswprintf_s.LIBCMT ref: 6CBDA317
                                                                                    • _strrchr.LIBCMT ref: 6CBDFFD4
                                                                                    • GetTempFileNameA.KERNEL32(?,DXI,00000000,?,?,00000104,?,?,00000000,?,?), ref: 6CBDFFF9
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 6CBE0004
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastNameTemp_strrchr_vswprintf_s
                                                                                    • String ID: CopyFile()$DXI$EnableINTLStringSection$EnableINTLStringSection(): Language is not found in inf defaulting to english.$EnableINTLStringSection(): unable to find louserzed string section, original CIF file is used.$GetTempFileName()$Unable to copy %s to %s.$Unable to create temp file %s.$Unable to find back slash, failed to create path.$Unable to open %s.$Use string section : [Strings.%s]$[Strings.%s]$[Strings.eng]$[Strings]$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$fopen$fopen()
                                                                                    • API String ID: 590862462-893682192
                                                                                    • Opcode ID: 121c6b39c45cfa08192f0ab7fa7ba08fb07253640f382a874e5b5694c0d0204e
                                                                                    • Instruction ID: 2e9d25135baebde9ca96c506f3507b78f21bacc98af77576596f05f3ef67fa36
                                                                                    • Opcode Fuzzy Hash: 121c6b39c45cfa08192f0ab7fa7ba08fb07253640f382a874e5b5694c0d0204e
                                                                                    • Instruction Fuzzy Hash: 8B612D75D402DCBADB109BA0AC45EDE37BCDF4D7A5F050495F604B2940EF32BA888E65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE525A Relevance: 47.7, APIs: 5, Strings: 22, Instructions: 423COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • _strnlen.LIBCMT ref: 6CBE53A8
                                                                                      • Part of subcall function 6CBD9EA5: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,6CBE0ED5,000000FF,?,6CBE0ED5,?,Version,?,00000000,?), ref: 6CBD9EBB
                                                                                    • _strnlen.LIBCMT ref: 6CBE5416
                                                                                    • _strrchr.LIBCMT ref: 6CBE5461
                                                                                    • _strnlen.LIBCMT ref: 6CBE55CA
                                                                                    • GetLastError.KERNEL32 ref: 6CBE5501
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strnlen$__wstrtime_strrchr$CompareErrorFormatFreeLastLocalMessageString
                                                                                    • String ID: %s is not downloaded.$.exe$General$GetSectionNamesFromInf() failed.$IterateDownloadedCabs$IterateDownloadedCabs(): %s is not cab, skipped.$IterateDownloadedCabs(): %s is removed.$IterateDownloadedCabs(): Iterating through %s$IterateDownloadedCabs(): Unable to get cab list in section.$IterateDownloadedCabs(): removing [%s] ...$IterateDownloadedCabs(): start section : [%s]$LoadListFromInfSection() failed.$SetupIterateCabinet()$URL$Unable to create path string, %s\%s.$Unable to find cab list, %s.$Unable to initialize CSetupAPI.$Unable to iterate through %s. The file may be damaged.$Unable to load cab list, %s.$Unable to remove %s, need to remove this file.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$filelist.dat
                                                                                    • API String ID: 3230511836-1238058061
                                                                                    • Opcode ID: f3c7538ce8bbbe804c8f90d4254d5ab5786298d1c2ce965b05c010c3ee4d4b79
                                                                                    • Instruction ID: ccf2f61216cd3e0b8f58afcdc40858a37c18116b3186694132d0f8f243a18e1f
                                                                                    • Opcode Fuzzy Hash: f3c7538ce8bbbe804c8f90d4254d5ab5786298d1c2ce965b05c010c3ee4d4b79
                                                                                    • Instruction Fuzzy Hash: F6D12C75C442D8BADB109B649C84EDE77BCDB1C7A9F110995F014E2980DF70AECC8E69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE3811 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE3853
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBE386E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE3879
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorLastSystem_memset_strrchr
                                                                                    • String ID: %s-%s_LFN$;$CheckLFN$CheckLFN(): %s is locked!$CheckLFN(): %s is not locked.$CheckLFN(): SetupFindFirstLine() returns 0, reason = %d.$CheckLFN(): checking [%s]...$CheckLFN(): section [%s] is not found in %s.$GetSystemDirectory()$SetupGetLineText()$SetupOpenInfFile()$StringCchPrintf()$Unable to create path string, %s\%s.$Unable to create path string, %s\.$Unable to create section name, %s-%s_LFN.$Unable to initialize CSetupAPI.$Unable to open %s.$dxupdate.inf$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 419038105-1513605989
                                                                                    • Opcode ID: b41f40aaa618deec9b05f2bb865348420dc86b2b3bd0aa8b52cb40cbef016811
                                                                                    • Instruction ID: eea15d7783b6d0668ac102a1a28aeee5a7b68090f773bf91cbecc6a00f32c44a
                                                                                    • Opcode Fuzzy Hash: b41f40aaa618deec9b05f2bb865348420dc86b2b3bd0aa8b52cb40cbef016811
                                                                                    • Instruction Fuzzy Hash: FD810BFA9042D87ADB10AAA4CC84EEF777CDB08768F0505A5F516E3941DB30AEC84A65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDDC9E Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 210filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 6CBDDDA6
                                                                                    • GetLastError.KERNEL32(Unable to copy %s to %s.,?,?), ref: 6CBDDDC3
                                                                                    • CharLowerA.USER32(?,?,00000004,?,?,00000000,?,?,dx9bdaxp.cat,?,?,dx9bda.cat,?,?,6CBD12F4,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp), ref: 6CBDDE18
                                                                                    • lstrcmpA.KERNEL32(?,eng), ref: 6CBDDE2A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$CharCopyErrorFileLastLower_strrchrlstrcmp
                                                                                    • String ID: CopyFile()$RenameFiles$Renamed %s to %s$Unable to copy %s to %s.$Unable to create path string, %s%s.$Unable to create path string, %s\.$Unable to find %s to rename, skipped.$dijoy%s.hlp$dijoy.hlp$dx9bda.cat$dx9bdaxp.cat$dx9w9x.cat$dxdia%s.chm$dxdiag.chm$dxw9x%s.cat$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$eng$joystick.inf$jystk%s.inf
                                                                                    • API String ID: 2354368704-3421414887
                                                                                    • Opcode ID: 6c23564cef669286ef16694eff1089874a362407286bb0cdc1493c2af85411fe
                                                                                    • Instruction ID: 5aedef0ace493be52d47ffece3e46fc3ca86dcd8f383c8d0119df41747fbe55f
                                                                                    • Opcode Fuzzy Hash: 6c23564cef669286ef16694eff1089874a362407286bb0cdc1493c2af85411fe
                                                                                    • Instruction Fuzzy Hash: 9C612FB69012A86ADB10DAF19D44FEE737CDB04314F4608A5B995E3941EB70FB888F71
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDBD14 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 250COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32 ref: 6CBDBE8B
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDBFC9
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__wstrtime$_strrchr
                                                                                    • String ID: $CSetupAPI is not initialized.$SetupDiDestroyDeviceInfoList()$SetupDiEnumDeviceInfo()$SetupDiGetClassDevs()$SetupDiGetDeviceRegistryProperty()$SetupDiSetDeviceRegistryProperty()$Unable to allocate memory block.$UpdateUnpluggedPnPDrv$UpdateUnpluggedPnPDrv(): %s is found.$UpdateUnpluggedPnPDrv(): ID:%s.$UpdateUnpluggedPnPDrv(): SetupDiEnumDeviceInfo() completed.$UpdateUnpluggedPnPDrv(): SetupDiSetDeviceRegistryProperty() succeeded.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 3134455230-3781566494
                                                                                    • Opcode ID: 70c3e9c3588e7c6a5364c197a9b56ec026eab7919dfa3ddec5d98ea67c34a2df
                                                                                    • Instruction ID: 07e17c1dbb6f91c3dc5836296f73c6eb62ecd10326fd564cafa724d1aee3159f
                                                                                    • Opcode Fuzzy Hash: 70c3e9c3588e7c6a5364c197a9b56ec026eab7919dfa3ddec5d98ea67c34a2df
                                                                                    • Instruction Fuzzy Hash: B0816075A04289BFDF019FA4DC89EEE7BBCEB09354F160429F515F2651DB31AD048B22
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA9D6 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 168fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDAA3A
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 6CBDAA63
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDAA6E
                                                                                    • StringFromGUID2.OLE32(F750E6C3,?,00000104), ref: 6CBDAAA5
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000104,00000000,00000000), ref: 6CBDAAD4
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDAADF
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,00000000), ref: 6CBDAB94
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDAB9F
                                                                                    • DeleteFileA.KERNEL32(?), ref: 6CBDABBD
                                                                                    • GetLastError.KERNEL32(Unable to remove %s.,?), ref: 6CBDABD3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$File$AttributesByteCharDeleteDirectoryFromMultiStringSystemWide_memset
                                                                                    • String ID: %s\CATROOT\%s\%s$DeleteFile()$GetSystemDirectory()$InstCatWin2K$InstCatWin2K(): OBSOLETE: catalog file for Win2K must be installed with the inf file.$InstCatWin2K(): deleting catalog file...$SetFileAttributes()$StringFromGUID2()$Unable to create path string, %s\CATROOT\%s\%s.$Unable to remove %s.$WideCharToMultiByte()$e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp
                                                                                    • API String ID: 1279157429-1750787291
                                                                                    • Opcode ID: d6c4ebe025eb8648a1bb9f7e81cb438925a580339f1ca2893801913f8ee491b0
                                                                                    • Instruction ID: 499c858ccc90cda8d657f24f59adee4486db113bfddcc64a99bc8a900ffe1d78
                                                                                    • Opcode Fuzzy Hash: d6c4ebe025eb8648a1bb9f7e81cb438925a580339f1ca2893801913f8ee491b0
                                                                                    • Instruction Fuzzy Hash: 6F51D6B6A00299BADB20DAE18C44FEB377CDB4A364F0A05D5F515E2541EB30FB848F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE2209 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE224D
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBE2262
                                                                                    • GetLastError.KERNEL32(00000000,?,\mdxredist.msi,00000000), ref: 6CBE226D
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorFormatFreeLastLocalMessageSystem_memset_strrchr
                                                                                    • String ID: GetMDXProductVersion$GetMDXProductVersion(): MDX 9.0 [%s]$GetMDXProductVersion(): MDX 9.1 [%s]$GetProductProperty()$GetsystemDirectory()$MsiGetProductProperty()$ProductCode$ProductVersion$Unable to create path string, %s%s.$Unable to get product code from %s.$Unable to get product version from %s.$Unable to initialize CDXMsi.$Unknown MDX package [%s].$\mdxredist.msi$\msi.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp${7F34A21F-2DEB-4598-BB19-611D6BD24271}${B4C88CF0-B617-4658-8F84-C4E847FBC9F7}
                                                                                    • API String ID: 1089790045-1702744034
                                                                                    • Opcode ID: fcd08bda890ff35d96cdd646845b21acdc7c1500e62dd7581186190edc0d84dc
                                                                                    • Instruction ID: 422f56ee59b5887a510c8c46f6c4b96f35d0559f7f7839e4a092d2f51e3632d6
                                                                                    • Opcode Fuzzy Hash: fcd08bda890ff35d96cdd646845b21acdc7c1500e62dd7581186190edc0d84dc
                                                                                    • Instruction Fuzzy Hash: 9371D4F6D00299ABDB219B64CC44FEE73BCEB0C758F110495F519A2940DB70AF888F66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC15A Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 108processsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDC16F
                                                                                    • CreateProcessA.KERNEL32(00000000,6CBD46C8,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?), ref: 6CBDC193
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000104,?), ref: 6CBDC1A6
                                                                                    • GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC1B2
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 6CBDC1DE
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 6CBDC1E3
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 6CBDC1F5
                                                                                    • GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC200
                                                                                    • CloseHandle.KERNEL32(?,?,00000104,?), ref: 6CBDC221
                                                                                    • GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC228
                                                                                    • CloseHandle.KERNEL32(?,?,00000104,?), ref: 6CBDC243
                                                                                    • GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC24A
                                                                                    • GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC268
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CloseHandle$Process$CodeCreateExitObjectSingleWait_memset
                                                                                    • String ID: CloseHandle()$CreateProcess()$GetExitCodeProcess()$RunProcess$WaitForSingleObject()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1220342516-444330189
                                                                                    • Opcode ID: 1fdf831000bc2304e02fa22ca7713e4c6cfbb0c9f4ade2d0a8760865b1b10d06
                                                                                    • Instruction ID: 7dcf43591ce5e7d44252eee76aeb45e133914f41942cff9892126d8c00c2018e
                                                                                    • Opcode Fuzzy Hash: 1fdf831000bc2304e02fa22ca7713e4c6cfbb0c9f4ade2d0a8760865b1b10d06
                                                                                    • Instruction Fuzzy Hash: 23318175A801E6BBDB017BE58C08DAF7B3CEF42775B160511F912F2981D630BA049BA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE1F44 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 203COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE1F7A
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 6CBE1FC4
                                                                                    • GetLastError.KERNEL32(00000000,?,?,00000104), ref: 6CBE1FCF
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorLastSystem_memset_strrchr
                                                                                    • String ID: GetMDXVersion$GetMDXVersion(): MDX 9.0 [%s] is detected.$GetMDXVersion(): MDX 9.0 is not detected.$GetMDXVersion(): MDX 9.1 [%s] is detected.$GetMDXVersion(): MDX 9.1 is not detected.$GetMDXVersion(): unable to find Windows Installer component.$GetsystemDirectory()$Invalid parameter - version information is NULL.$MsiGetProductInfo()$Unable to initialize CDXMsi.$VersionString$\msi.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp${7F34A21F-2DEB-4598-BB19-611D6BD24271}${B4C88CF0-B617-4658-8F84-C4E847FBC9F7}
                                                                                    • API String ID: 419038105-2521548459
                                                                                    • Opcode ID: 6617b979f102fc83948d17b54b1a5de4f8f040aad0c2cee6e428cb76bcfe5bf4
                                                                                    • Instruction ID: 6a8f54c2db01d3b955312e8c5b58a21b069e9ee75038192146d6b82bf4b7094c
                                                                                    • Opcode Fuzzy Hash: 6617b979f102fc83948d17b54b1a5de4f8f040aad0c2cee6e428cb76bcfe5bf4
                                                                                    • Instruction Fuzzy Hash: 6D614BB58402D9ABDB229B64CC48FDE76BCDF4CB59F51049AF504A2940DB306F848F67
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDF43D Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 98libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExA.KERNEL32(6CBE2ADF,00000000,00000008,6CBE2ADF,00000000,00000000,6CBE81D2,00000000,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF462
                                                                                    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 6CBDF47A
                                                                                    • GetLastError.KERNEL32(Module: %s, Function %s,6CBE2ADF,DllRegisterServer,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF4D1
                                                                                    • FreeLibrary.KERNEL32(6CBE2ADF,?,?,?,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF4EF
                                                                                    • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF4FA
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • GetLastError.KERNEL32(Unable to load %s.,6CBE2ADF,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF51D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Library__wstrtime$AddressFreeLoadProc_strrchr
                                                                                    • String ID: DllRegisterServer$DllRegisterServer()$FreeLibrary()$GetProcAddress()$LoadLibraryEx()$Module: %s, Function %s$RegisterDLL$RegisterDLL(): %s is registered successfully.$Unable to find find %s.$Unable to load %s.$Unable to register %s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1678312016-3976787067
                                                                                    • Opcode ID: b95c2cf23e386410db7e9da1efb9abcecce01e9852bb57678b23f59f7ecb246f
                                                                                    • Instruction ID: 77e82542e2f329d75e0ea95422a7201d3dcb537fc6d19fc5293dbb65eae7c60f
                                                                                    • Opcode Fuzzy Hash: b95c2cf23e386410db7e9da1efb9abcecce01e9852bb57678b23f59f7ecb246f
                                                                                    • Instruction Fuzzy Hash: DA21E275A052C0BAE7106BE59C49DBF3E2CDB427BAB074414F904A3940EB20BE408AB6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA0F6 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 85libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(sfc.dll,DirectXUpdateInstall,00000000,00000000,?,?,6CBDAFC7,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp), ref: 6CBDA11A
                                                                                    • GetProcAddress.KERNEL32(00000000,00000008), ref: 6CBDA136
                                                                                    • GetProcAddress.KERNEL32(00000009), ref: 6CBDA145
                                                                                    • GetProcAddress.KERNEL32(SRSetRestorePoint), ref: 6CBDA157
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: DirectXUpdateInstall$FreeLibrary()$GetProcAddress()$LoadLibrary()$LoadSfcDLL$Module: %s$SRSetRestorePoint$Unable to load %s.$e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp$sfc.dll
                                                                                    • API String ID: 2238633743-2231956943
                                                                                    • Opcode ID: a49987722729a3fcd787b797bb6c20c014b5c585cd0130cd0e436cab405e122c
                                                                                    • Instruction ID: 66c9f554679efec5897eab7bb9b33d2a66a3fcd576de5e41c11fedbd0665c2d1
                                                                                    • Opcode Fuzzy Hash: a49987722729a3fcd787b797bb6c20c014b5c585cd0130cd0e436cab405e122c
                                                                                    • Instruction Fuzzy Hash: 2E21A4B9F40281FBEF015EA59CC5E6A3AB8E753379B0A0429E621A3A11D730B900CE51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE3C32 Relevance: 30.3, APIs: 3, Strings: 17, Instructions: 259COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(Unable to iterate through %s. The file may be damaged.,?), ref: 6CBE3DB4
                                                                                    • GetLastError.KERNEL32(Unable to iterate through %s. The file may be damaged.,?), ref: 6CBE3E79
                                                                                    • GetLastError.KERNEL32(Unable to iterate through %s. The file may be damaged.,?), ref: 6CBE3F23
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: %s_REDIST_%04d%02d$DirectXUpdateApplyUpdate$DirectXUpdateApplyUpdate(): Extracting %s...$DirectXUpdateApplyUpdate(): There is not update cab - %s.$DirectXUpdateApplyUpdate(): Update is not found in %s.$DirectXUpdateApplyUpdate(): searching %s-*.cab.$SetupIterateCabinet()$StringCchPrintf()$Unable to create cab name, %s_REDIST_%04d%02d.$Unable to create cab name, Win??_REDIST_%04d%02d.$Unable to create path string, %s%s.$Unable to initialize CSetupAPI.$Unable to iterate through %s. The file may be damaged.$Win9X_REDIST_%04d%02d$WinNT_REDIST_%04d%02d$dxupdate.cab$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1452528299-1828712378
                                                                                    • Opcode ID: 6773ab94cd55addc86c5c11626c401a7f7b36f2bc7dd4d7903a3831cac528bbd
                                                                                    • Instruction ID: c7ad7cdad885729e16951367fc25c12ce7c24876ed691b65c3e4fc87970ea58b
                                                                                    • Opcode Fuzzy Hash: 6773ab94cd55addc86c5c11626c401a7f7b36f2bc7dd4d7903a3831cac528bbd
                                                                                    • Instruction Fuzzy Hash: 4C8125B99402D4BAEB109BA18C40FEE767CDF09B64F014955F905E7E81EB70ED848BA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDEF07 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDEF36
                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 6CBDEF4B
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,?), ref: 6CBDEF56
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • Unable to create path string, %s%s., xrefs: 6CBDEFA6
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBDEF6C, 6CBDEFB9
                                                                                    • \ddraw.dll, xrefs: 6CBDEF81, 6CBDEF86, 6CBDEFA4
                                                                                    • GetsystemDirectory(), xrefs: 6CBDEF5D
                                                                                    • CheckDirectXLanguage(): Installed DX - single language runtime, xrefs: 6CBDF04C
                                                                                    • ENG, xrefs: 6CBDF03C
                                                                                    • \dinput8d.dll, xrefs: 6CBDEFCE
                                                                                    • REDIST, xrefs: 6CBDF019
                                                                                    • CheckDirectXLanguage, xrefs: 6CBDEF62, 6CBDEFAF
                                                                                    • CheckDirectXLanguage(): Installed DX - SDK retail runtime, xrefs: 6CBDEFFF
                                                                                    • CheckDirectXLanguage(): Installed DX - multi lingual (redist) runtime, xrefs: 6CBDF00F
                                                                                    • CheckDirectXLanguage(): Installed DX - single language (English) runtime, xrefs: 6CBDF032
                                                                                    • CheckDirectXLanguage(): Installed DX - SDK debug runtime, xrefs: 6CBDEFEC
                                                                                    • SDKDEBUG, xrefs: 6CBDEFF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorLastSystem_memset_strrchr
                                                                                    • String ID: CheckDirectXLanguage$CheckDirectXLanguage(): Installed DX - SDK debug runtime$CheckDirectXLanguage(): Installed DX - SDK retail runtime$CheckDirectXLanguage(): Installed DX - multi lingual (redist) runtime$CheckDirectXLanguage(): Installed DX - single language (English) runtime$CheckDirectXLanguage(): Installed DX - single language runtime$ENG$GetsystemDirectory()$REDIST$SDKDEBUG$Unable to create path string, %s%s.$\ddraw.dll$\dinput8d.dll$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 419038105-3909562069
                                                                                    • Opcode ID: 4ad5f7d5bb467c97daf114b9f8363489806aff7a882418575123ebc39e2e1320
                                                                                    • Instruction ID: a83a1f2e48cd9e57f44feb78dbbba34e31ad75f36e1bd623262db29c6f1ffc4b
                                                                                    • Opcode Fuzzy Hash: 4ad5f7d5bb467c97daf114b9f8363489806aff7a882418575123ebc39e2e1320
                                                                                    • Instruction Fuzzy Hash: 6831FB769081D466E710ABA58C41FEF7B6CDB15368F130461E545E3D40EB70F6849E63
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE1C04 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 159registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,Software\Microsoft\.NETFramework\AssemblyFolders,\DX_,?,CMDXInstall::Install,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBE1D21
                                                                                    • _strnlen.LIBCMT ref: 6CBE1D42
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 6CBE1D5B
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBE1D95
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$CloseCreateValue_strnlen_strrchr
                                                                                    • String ID: CMDXInstall::Install$CMDXInstall::SetupRegistry$RegCloseKey()$RegCreateKeyEx()$RegSetValueEx()$Software\Microsoft\.NETFramework\AssemblyFolders$StringCchCat()$Unable to create key name %s\DX_%s.$Unable to create path string, %s%s.$Unable to create path string, %s_.$\DX_$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 439715491-2221351213
                                                                                    • Opcode ID: 3088ea178d13fc34f0f3851fbc77cf7588f67d140b909cc8b86b3c60c77cef64
                                                                                    • Instruction ID: 26a1466c2cbabb7816503d23ea0d0dbd2f24fc2999294d9de9b7e7276bb0405d
                                                                                    • Opcode Fuzzy Hash: 3088ea178d13fc34f0f3851fbc77cf7588f67d140b909cc8b86b3c60c77cef64
                                                                                    • Instruction Fuzzy Hash: BA4166F9C001D8BBEB205B508C81DEF767CDB09766F164494F504B2941DB70AEC48E72
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE280A Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBE28E8
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE2963
                                                                                      • Part of subcall function 6CBDFE3C: lstrcmpA.KERNEL32(?,DefaultInstall,RegisterDLL64,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBDFE63
                                                                                    • GetLastError.KERNEL32(00000000,6CBE81D2,00000000), ref: 6CBE2890
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                      • Part of subcall function 6CBDB0A6: FreeLibrary.KERNEL32(00000000,00000000,6CBE21D7,?,?,?,?,\msi.dll,00000000,?,?,00000104), ref: 6CBDB0B2
                                                                                      • Part of subcall function 6CBDB0A6: GetLastError.KERNEL32(?,?,?,?,\msi.dll,00000000,?,?,00000104), ref: 6CBDB0BC
                                                                                    • GetLastError.KERNEL32(00000000,?,?,6CBE2AD8,00000000,00000000,6CBE81D2,00000000), ref: 6CBE29AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$__wstrtime$DirectoryFreeLibrarySystem_strrchrlstrcmp
                                                                                    • String ID: GetSystemDirectory()$RegSvr32.exe$RegisterDLL64$RegisterDLL64(): %s is not registered properly.$RegisterDLL64(): %s is registered successfully.$StringCchCat()$Unable to find find %s.$Unable to initialize CKernel32.$Wow64DisableWow64FsRedirection()$Wow64RevertWow64FsRedirection()$\regsvr32.exe /s$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1827676591-3868886123
                                                                                    • Opcode ID: c517c2b10364cc04d1333b0b3632297a8d5f844c69c178a3fbed5f120d818d76
                                                                                    • Instruction ID: 8512a89341cb2f0d0bc0e9bb3fbca1046114a56116c21b241f5b10c68bced743
                                                                                    • Opcode Fuzzy Hash: c517c2b10364cc04d1333b0b3632297a8d5f844c69c178a3fbed5f120d818d76
                                                                                    • Instruction Fuzzy Hash: 3C412CB59012D5BBD700ABA08C89EDF337CDB09765F4204A5F504B2940EF34BE888B6A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDD09A Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp), ref: 6CBDD0BF
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDD0CA
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • GetFileAttributesA.KERNEL32(?,?,00000000,?,?,\inf\,6CBE8200), ref: 6CBDD120
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 6CBDD14E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDD159
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesErrorFileLast__wstrtime$DirectoryWindows_strrchr
                                                                                    • String ID: CheckReadOnlyFlag$CheckReadOnlyFlag(): %s is ReadOnly.$CheckReadOnlyFlag(): file attribute is successfully changed to NORMAL.$GetFileAttributes()$GetWindowsDirectory()$SetFileAttributes()$Unable to create path string, %s\inf\%s.$\inf\$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 3300351523-1733329513
                                                                                    • Opcode ID: de92b67e7ffdb7a24ac16fa621ee6a7064504da3a4e73c628520bbf21b853216
                                                                                    • Instruction ID: 8f3ae7c2dca2d76ee851b47fe9e960b699c9594537e64f0b803f76ee9b2928a9
                                                                                    • Opcode Fuzzy Hash: de92b67e7ffdb7a24ac16fa621ee6a7064504da3a4e73c628520bbf21b853216
                                                                                    • Instruction Fuzzy Hash: E031F576A44294BADB109BF09C09FEA3B7CDF06374F120561F554E3940EB30FA848AB5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE253A Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 6CBE25BC
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE25C7
                                                                                      • Part of subcall function 6CBDB06F: CharNextA.USER32(?,00000104,?,6CBE3CF3,6CBF9880,6CBF9880,00000104,?,?,00000000,?,?,dxupdate.cab), ref: 6CBDB082
                                                                                    • GetLastError.KERNEL32 ref: 6CBE269F
                                                                                    • GetLastError.KERNEL32(Unable to open %s.,?), ref: 6CBE2741
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CharCurrentDirectoryNext
                                                                                    • String ID: ExecuteInf$GetCurrentDirectory()$SetupInstallFromInfSection()$SetupOpenInfFile()$Unable to initialize CSetupAPI.$Unable to install %s:[%s] due to certificate problem. Please check valid certificate is installed and Cryptographic Services are enabled.$Unable to install %s:[%s]. Please verify the Cryptographic Services are enabled.$Unable to install %s:[%s]. The file is not signed properly.$Unable to install %s:[%s]. The file may be damaged.$Unable to open %s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 132608271-2763982466
                                                                                    • Opcode ID: 1184c8b0dbef25d7cb7058e28ca43482bcfddd3c0bf1a3698d836bb817d2e90c
                                                                                    • Instruction ID: e071d1ff2c2dd00ab7b066681fbcb9fea5552280faf68bcaeee8a6ccfd0fe5aa
                                                                                    • Opcode Fuzzy Hash: 1184c8b0dbef25d7cb7058e28ca43482bcfddd3c0bf1a3698d836bb817d2e90c
                                                                                    • Instruction Fuzzy Hash: 2D614BB49002D9BBEB244F618C0DFEE36B8EB18B59F110954F555A29C0EB706DC48EA7
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDD5C5 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 131registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\DirectX,00000000,00000001,?,?,00000000,?), ref: 6CBDD62A
                                                                                    • RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,?,?), ref: 6CBDD676
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBDD74E
                                                                                    Strings
                                                                                    • Version, xrefs: 6CBDD661
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBDD691, 6CBDD6D0, 6CBDD769
                                                                                    • GetDXVersion(): Unable to get RC string from registry, now RC is 0., xrefs: 6CBDD70A
                                                                                    • GetDXVersion, xrefs: 6CBDD63F, 6CBDD687, 6CBDD6C6, 6CBDD75F
                                                                                    • RegCloseKey(), xrefs: 6CBDD75A
                                                                                    • Current DirectX may be a older version which does not have directx key in the registry., xrefs: 6CBDD634
                                                                                    • Current DirectX may be a older version which does not have the version value in the registry., xrefs: 6CBDD67C
                                                                                    • RegQueryValueEx(), xrefs: 6CBDD682
                                                                                    • StringToVersionInfo() failed, version = %s., xrefs: 6CBDD6BF
                                                                                    • Software\Microsoft\DirectX, xrefs: 6CBDD618
                                                                                    • RegOpenKeyEx(), xrefs: 6CBDD63A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: Current DirectX may be a older version which does not have directx key in the registry.$Current DirectX may be a older version which does not have the version value in the registry.$GetDXVersion$GetDXVersion(): Unable to get RC string from registry, now RC is 0.$RegCloseKey()$RegOpenKeyEx()$RegQueryValueEx()$Software\Microsoft\DirectX$StringToVersionInfo() failed, version = %s.$Version$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 3677997916-2346953853
                                                                                    • Opcode ID: 63be928f4c20317941bc0772a0ba8e3cc0f11079be4ec64fd8cdeb5da222abb1
                                                                                    • Instruction ID: 2054aa259da85aa2643666c601e9e4e69139cfa3e05a8b88de1a5c65746aee26
                                                                                    • Opcode Fuzzy Hash: 63be928f4c20317941bc0772a0ba8e3cc0f11079be4ec64fd8cdeb5da222abb1
                                                                                    • Instruction Fuzzy Hash: AD41E4B5D411D9BBDB109F60CCC4EEAB67CEB21355F1208A5B518A3A02C771BE848FB1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE5D7C Relevance: 25.9, APIs: 1, Strings: 16, Instructions: 353COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE6047
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ErrorLast_strrchr
                                                                                    • String ID: ;$InstalledProductName$IsMDXInUse$IsMDXInUse(): %s$IsMDXInUse(): %s [%s] is detected.$MDX$MsiGetProductInfo()$MsiGetProductProperty()$ProductCode$SetupGetLineText()$Unable to get product code from %s.$Unable to initialize CDXMsi.$Unable to initialize CMDXCheck.$Unable to initialize CSetupAPI.$VersionString$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 205445871-52278232
                                                                                    • Opcode ID: 4217a9dfd0e13a5ed3b85bda308fdfff6d0e05f8ea84f04ddba38e10c9e4153c
                                                                                    • Instruction ID: 22f923a6826febe5a59845886d500291165bafadb71908abee5a7fdd7f1f9c0e
                                                                                    • Opcode Fuzzy Hash: 4217a9dfd0e13a5ed3b85bda308fdfff6d0e05f8ea84f04ddba38e10c9e4153c
                                                                                    • Instruction Fuzzy Hash: 89D18271D412AC9BCB229B548C84ADD777CEF0DBA8F5005D5E119E2681DB309FC48FA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDF563 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • _strnlen.LIBCMT ref: 6CBDF622
                                                                                      • Part of subcall function 6CBDA3EB: FindFirstFileA.KERNELBASE(?,?,?,00000104,?,?,?), ref: 6CBDA48E
                                                                                      • Part of subcall function 6CBDA3EB: FindClose.KERNEL32(00000000), ref: 6CBDA49A
                                                                                    • _strnlen.LIBCMT ref: 6CBDF6CB
                                                                                      • Part of subcall function 6CBDB237: CreateFileA.KERNEL32(0000003B,40000000,00000003,00000000,00000003,00000080,00000000,?,6CBE3A9F,0000003B,0000003B,00000000,?,?,?,6CBD12F4), ref: 6CBDB251
                                                                                      • Part of subcall function 6CBDB237: GetLastError.KERNEL32(?,6CBE3A9F,0000003B,0000003B,00000000,?,?,?,6CBD12F4,dxupdate.inf,?,?,6CBD12F4), ref: 6CBDB25C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind__wstrtime_strnlen$CloseCreateErrorFirstLast_strrchr
                                                                                    • String ID: .dll$.xml$IsTargetFileInUse$IsTargetFileInUse(): %s is locked!$IsTargetFileInUse(): %s is not locked.$IsTargetFileInUse(): Unable to get file list in section.$LoadListFromInfSection() failed.$MDXDLLs$Unable to create path string, %s%s.$Unable to find %s.$_IsMDXDevInUse$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 2474516121-2892458256
                                                                                    • Opcode ID: 91f579ff10c91a4d1365b450de02fe07e8142de2b88d2563ed2945d489eb28c5
                                                                                    • Instruction ID: e12b1605d0e213b26e8b656ea8f71e013e93eb06b0d349fd59a341806ebeffb9
                                                                                    • Opcode Fuzzy Hash: 91f579ff10c91a4d1365b450de02fe07e8142de2b88d2563ed2945d489eb28c5
                                                                                    • Instruction Fuzzy Hash: 6751F976D082D96AEB109BA48C41FDE77ACDF15368F120595F518B2980DF70BEC48F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF4E65 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(USER32.DLL,00000314,6CBFA508,00000000,?,?,?,?,6CBF148B,6CBFA508,Microsoft Visual C++ Runtime Library,00012010), ref: 6CBF4E94
                                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 6CBF4EB3
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 6CBF4ECC
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 6CBF4EE1
                                                                                    • __get_wpgmptr.LIBCMT ref: 6CBF4EF2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 6CBF4F16
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 6CBF4F2E
                                                                                    • __get_amblksiz.LIBCMT ref: 6CBF4F86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad__get_amblksiz__get_wpgmptr
                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                    • API String ID: 2538533512-232180764
                                                                                    • Opcode ID: 159b2223f836111cea1fa593ee8c7542ef49648fb73ae1e83ca71f5ff36755cf
                                                                                    • Instruction ID: 04eace96485e4cf9c0162e1458284b6093202981fd973095ee8bc003ae7fa141
                                                                                    • Opcode Fuzzy Hash: 159b2223f836111cea1fa593ee8c7542ef49648fb73ae1e83ca71f5ff36755cf
                                                                                    • Instruction Fuzzy Hash: 9641C871D05388AEEF05AFB59E4499E7FB8EB09758B10482AE428D3700DB74D54ACF52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDF938 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDF977
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBDFAB1
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,6CBD45C8,?,6CBD12F4,?,?,6CBD12F4,dxupdate.inf,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000,IsMDXInUse), ref: 6CBDFA0C
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$DirectoryErrorFormatFreeLastLocalMessageWindows_memset_strrchr
                                                                                    • String ID: GetWindowsDirectory()$IsMDXDevInUse$IsMDXDevInUse(): ProductVersion = %s.$IsMDXInUse$MDXDLLs$Unable to create directory name, \v%s\.$Unable to create path string, %s%s%s.$Unable to create path string, %s\%s.$\Microsoft.NET\Managed DirectX$dxupdate.inf$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 600149719-3529715575
                                                                                    • Opcode ID: f17e69290d801e099075cddfca0724403ef04c4870047961de6c53ef38856d23
                                                                                    • Instruction ID: d13b581e438d6a8862d2a80095756bdf4ee5e4bfb57cc411d903c9388da673c1
                                                                                    • Opcode Fuzzy Hash: f17e69290d801e099075cddfca0724403ef04c4870047961de6c53ef38856d23
                                                                                    • Instruction Fuzzy Hash: A041B9B9D0419CBADB10CB948C80EDA777CDB55368F0245A2F518F2940EA30BFC88F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC568 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112libraryloadermemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,6CBEA52D), ref: 6CBEC570
                                                                                    • __mtterm.LIBCMT ref: 6CBEC57C
                                                                                      • Part of subcall function 6CBEC20A: TlsFree.KERNELBASE(00000038,6CBEA5C1), ref: 6CBEC235
                                                                                      • Part of subcall function 6CBEC20A: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CBEA5C1), ref: 6CBEF8AD
                                                                                      • Part of subcall function 6CBEC20A: DeleteCriticalSection.KERNEL32(00000038,?,?,6CBEA5C1), ref: 6CBEF8D7
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CBEC592
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CBEC59F
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CBEC5AC
                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CBEC5B9
                                                                                    • TlsAlloc.KERNEL32(?,6CBEA52D), ref: 6CBEC609
                                                                                    • TlsSetValue.KERNEL32(00000000,?,6CBEA52D), ref: 6CBEC620
                                                                                    • __mtterm.LIBCMT ref: 6CBEC677
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalDeleteSection__mtterm$AllocFreeHandleModuleValue
                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                    • API String ID: 1270926730-3819984048
                                                                                    • Opcode ID: cde7a239bcbf76c0871756ca9ed329d46f8582b9cd0193e1312652b886554695
                                                                                    • Instruction ID: 3c66db4ccc9a18777cac3b28001bc9e8593e8d8812fc8afde160393e5c696a70
                                                                                    • Opcode Fuzzy Hash: cde7a239bcbf76c0871756ca9ed329d46f8582b9cd0193e1312652b886554695
                                                                                    • Instruction Fuzzy Hash: 84313076E112809EEF117F75A80478E3EB4EB4EBA9714462AE430D3F90DB71E444CE55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF4307 Relevance: 24.4, APIs: 16, Instructions: 391COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LCMapStringW.KERNEL32(00000000,00000100,6CBD8CA8,00000001,00000000,00000000,6CBF6A68,0000002C,6CBF47F4,00004000,00000000,00004000,?,?,?,?), ref: 6CBF4331
                                                                                    • GetLastError.KERNEL32(?,6CBEEC67,6CBD12E7,UTF-8,00000000,6CBD12E8,00000000,6CBF93E8), ref: 6CBF4343
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,6CBF6A68,0000002C,6CBF47F4,00004000,00000000,00004000,?,?,?,?), ref: 6CBF43D2
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6CBF4486
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLastString
                                                                                    • String ID:
                                                                                    • API String ID: 2717499641-0
                                                                                    • Opcode ID: 3e13c2142beedc23aed076b6bfc8fb90be69094227a203f76c35ff8697c37b9c
                                                                                    • Instruction ID: 3783ce8cff75dc52684bc58b1958b2a113c72161c7659e09f1ab522d41c35fbc
                                                                                    • Opcode Fuzzy Hash: 3e13c2142beedc23aed076b6bfc8fb90be69094227a203f76c35ff8697c37b9c
                                                                                    • Instruction Fuzzy Hash: 2ED19B71900299AFDF019FA4DE84ADE7BB5FF09328F20412AF924A6B50C771C95ACF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE6516 Relevance: 24.2, APIs: 3, Strings: 13, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(Unable to open %s.,?), ref: 6CBE65BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: $;$DirectXUpdateInstallPlugIn$MDX$SetupFindfirstLine()$SetupGetLineText()$SetupOpenInfFile()$TestForPlugIn$TestForPlugIn(): %s is locked!$TestForPlugIn(): %s is not locked.$Unable to initialize CSetupAPI.$Unable to open %s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1452528299-4140705820
                                                                                    • Opcode ID: 424bbf964da72c09ebae570f8f3813f259d91915f978b020a99338ae90bada1a
                                                                                    • Instruction ID: 0dd216926bfa0597cfbe0ec120add333a238894b35a3d5852b97ed0f83e18184
                                                                                    • Opcode Fuzzy Hash: 424bbf964da72c09ebae570f8f3813f259d91915f978b020a99338ae90bada1a
                                                                                    • Instruction Fuzzy Hash: 92713E71E0029CABCB245B658C44FDE77B8EF1DBA4F110599FA19D2540DB34AE848F91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE4FF4 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBE5069
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104,?,00000001,00000000), ref: 6CBE5093
                                                                                    • GetLastError.KERNEL32(00000000,?,00000001,00000000), ref: 6CBE509E
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBE50B4, 6CBE51F3, 6CBE5223
                                                                                    • %s is not trusted due to certificate problem. Please check valid certificate is installed and Cryptographic Services are enabled., xrefs: 6CBE51DE
                                                                                    • %s is not trusted. The file is not signed properly., xrefs: 6CBE5196
                                                                                    • 0, xrefs: 6CBE50ED
                                                                                    • Unable to initialize CWinTrust., xrefs: 6CBE5212
                                                                                    • %s is not trusted. The file may be damaged. Please check valid certificate is installed and Cryptographic Services are enabled., xrefs: 6CBE51C1
                                                                                    • WinVerifyTrust(), xrefs: 6CBE519C, 6CBE51C7, 6CBE51E4
                                                                                    • DXCheckTrust, xrefs: 6CBE50AA, 6CBE51A1, 6CBE51CC, 6CBE51E9, 6CBE5219
                                                                                    • MultiByteToWideChar(), xrefs: 6CBE50A5
                                                                                    • DXCheckTrust(): %s is trusted., xrefs: 6CBE5176
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharErrorLastMultiWide_memset
                                                                                    • String ID: %s is not trusted due to certificate problem. Please check valid certificate is installed and Cryptographic Services are enabled.$%s is not trusted. The file is not signed properly.$%s is not trusted. The file may be damaged. Please check valid certificate is installed and Cryptographic Services are enabled.$0$DXCheckTrust$DXCheckTrust(): %s is trusted.$MultiByteToWideChar()$Unable to initialize CWinTrust.$WinVerifyTrust()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1545292163-404537573
                                                                                    • Opcode ID: c2b741a6d020cc080c4a7dda07984751b189efeb95a5eb96e1835c3f6c9b5ec0
                                                                                    • Instruction ID: e0602f14f6cd5a92e000ad0635d54b940642e8eaf87a7de8ebb9167c73fbd7e8
                                                                                    • Opcode Fuzzy Hash: c2b741a6d020cc080c4a7dda07984751b189efeb95a5eb96e1835c3f6c9b5ec0
                                                                                    • Instruction Fuzzy Hash: C6511C7594129CBADB205F54CCC8FED7778EF08758F110999F518E6580DB706E888F19
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBD9A8B Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 6CBD9AC1
                                                                                    • OutputDebugStringA.KERNEL32(DXSETUP_DPF(): Unable to open log file.,00000000,00000000), ref: 6CBD9AD0
                                                                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 6CBD9B10
                                                                                    • GetLastError.KERNEL32 ref: 6CBD9B1A
                                                                                    Strings
                                                                                    • DXSETUP_DPF(): Unable to open log file., xrefs: 6CBD9B65
                                                                                    • Logs\DXError.log, xrefs: 6CBD9B2E
                                                                                    • %s%s, xrefs: 6CBD9AE7
                                                                                    • %s%s%s, xrefs: 6CBD9B3F
                                                                                    • DXSETUP_DPF(): failed to create log directory., xrefs: 6CBD9B27
                                                                                    • \Logs, xrefs: 6CBD9ADB
                                                                                    • --------------------, xrefs: 6CBD9B70
                                                                                    • DXSETUP_DPF(): GetWindowsDirectory() failed., xrefs: 6CBD9ACB
                                                                                    • DXSETUP_DPF(): path name too long., xrefs: 6CBD9B00
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$CreateDebugErrorLastOutputStringWindows
                                                                                    • String ID: %s%s$%s%s%s$--------------------$DXSETUP_DPF(): GetWindowsDirectory() failed.$DXSETUP_DPF(): Unable to open log file.$DXSETUP_DPF(): failed to create log directory.$DXSETUP_DPF(): path name too long.$Logs\DXError.log$\Logs
                                                                                    • API String ID: 3967814497-1050326959
                                                                                    • Opcode ID: 023dfb398a7bca98f3bdf8d6892debfc894f91f4ca4432feb1f61b6842a77b54
                                                                                    • Instruction ID: 230e9c1b14635ad739a11ac32feb5221739413669d8eaf49ec18ee8f18d524dd
                                                                                    • Opcode Fuzzy Hash: 023dfb398a7bca98f3bdf8d6892debfc894f91f4ca4432feb1f61b6842a77b54
                                                                                    • Instruction Fuzzy Hash: FA21D179E042A476D710A6A69C54FCF3B7CDB42774F0B05A5F849E2D00EB20F5448656
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDB31E Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 68libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(?,?,\ddraw.dll,?,6CBDF00B,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB328
                                                                                    • FindResourceExA.KERNEL32(00000000,00000010,00000001,00000409), ref: 6CBDB347
                                                                                    • FindResourceExA.KERNEL32(00000000,00000010,00000001,00000411), ref: 6CBDB356
                                                                                    • FindResourceExA.KERNEL32(00000000,00000010,00000001,00000407), ref: 6CBDB365
                                                                                    • FreeLibrary.KERNEL32(00000000,?,6CBDF00B,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB36E
                                                                                    • GetLastError.KERNEL32(6CBDF00B,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB379
                                                                                    • GetLastError.KERNEL32(Unable to load %s.,?,?,6CBDF00B,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB3AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindResource$ErrorLastLibrary$FreeLoad
                                                                                    • String ID: FreeLibrary()$IsMultilingual$LoadLibrary()$Unable to load %s.$\ddraw.dll$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 2275697535-429043600
                                                                                    • Opcode ID: a2c4bbfdb280f8aa3521a9a2adf4a58e9f70e3ed62ac45e252d2cf37aa2e4de6
                                                                                    • Instruction ID: c0771d116011129ed0f17e98d25fcc751d4b50c3b10bd0db73b1c6e88481a89d
                                                                                    • Opcode Fuzzy Hash: a2c4bbfdb280f8aa3521a9a2adf4a58e9f70e3ed62ac45e252d2cf37aa2e4de6
                                                                                    • Instruction Fuzzy Hash: B511D679B402C9BAFB0019E54C96FBB296CDB41BF8F0B0415FA10B6494EAA1FC026476
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDF7A7 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 118registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\.NETFramework\AssemblyFolders,00000000,00020007,?,?,00000000,00000000), ref: 6CBDF7F1
                                                                                    • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?), ref: 6CBDF80C
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 6CBDF841
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBDF853
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6CBDF8D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen__wstrtime$QueryValue_strrchr
                                                                                    • String ID: MDXDLLs$RegCloseKey()$RegOpenKeyEx()$RegQueryValueEx()$Software\Microsoft\.NETFramework\AssemblyFolders$_IsMDXDevInUse$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 856003746-2312745670
                                                                                    • Opcode ID: 3dfe157daa902d4b7a5357b38d737a5e446d1ffafbd42863e14269141027f43d
                                                                                    • Instruction ID: 113da21b0d4ab0e77d0ec6ef2a6b54b7942fe5da19d026c265ca096666f6d6f9
                                                                                    • Opcode Fuzzy Hash: 3dfe157daa902d4b7a5357b38d737a5e446d1ffafbd42863e14269141027f43d
                                                                                    • Instruction Fuzzy Hash: F54191B5D0419CBFEB209B508C82EEE777CEB55359F0205A6F608E2541D671AEC48FA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBD9F7A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeA.VERSION(6CBDA06B,?,?,00000000,00000000,?,?,6CBDA06B,?), ref: 6CBD9F8B
                                                                                      • Part of subcall function 6CBD9ED4: _strrchr.LIBCMT ref: 6CBD9EDF
                                                                                    • GetLastError.KERNEL32(6CBDA06B,6CBDA06B,?,?,00000000,00000000,?,?,6CBDA06B,?), ref: 6CBD9FA2
                                                                                    • _memset.LIBCMT ref: 6CBD9FFA
                                                                                    • GetFileVersionInfoA.VERSION(6CBDA06B,00000000,00000000,00000000,?,6CBDA06B,?), ref: 6CBDA008
                                                                                    • GetLastError.KERNEL32(00000000,6CBDA06B,00000000,00000000,00000000,?,6CBDA06B,?), ref: 6CBDA012
                                                                                    Strings
                                                                                    • Unable to allocate memory., xrefs: 6CBD9FD7
                                                                                    • e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h, xrefs: 6CBD9FE8, 6CBDA028
                                                                                    • GetFileVersionInfoBlock(): %s does not have version information., xrefs: 6CBD9FBA
                                                                                    • GetFileVersionInfo(), xrefs: 6CBDA019
                                                                                    • GetFileVersionInfoBlock, xrefs: 6CBD9FDE, 6CBDA01E
                                                                                    • GetFileVersionInfoBlock(): Unable to get FileVersionInfoSize, file: %s, reason: %d., xrefs: 6CBD9FAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileInfoLastVersion$Size_memset_strrchr
                                                                                    • String ID: GetFileVersionInfo()$GetFileVersionInfoBlock$GetFileVersionInfoBlock(): %s does not have version information.$GetFileVersionInfoBlock(): Unable to get FileVersionInfoSize, file: %s, reason: %d.$Unable to allocate memory.$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 388213077-1642510695
                                                                                    • Opcode ID: 809836b0b683501edd7b8ef14e55b3564b9737e84e7ddd19987468926cc00191
                                                                                    • Instruction ID: 567b0bd5d19c1b446034358e17d43f0194020b21f3df46d5d4d27e4d929bb717
                                                                                    • Opcode Fuzzy Hash: 809836b0b683501edd7b8ef14e55b3564b9737e84e7ddd19987468926cc00191
                                                                                    • Instruction Fuzzy Hash: F911C6ABE091E67A961079E65C94CEF292CCB527FCB0F0415F905A1E01FE15FD0846B7
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE29D8 Relevance: 18.1, APIs: 3, Strings: 9, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(Unable to open %s.,00000000), ref: 6CBE2A53
                                                                                      • Part of subcall function 6CBDF43D: LoadLibraryExA.KERNEL32(6CBE2ADF,00000000,00000008,6CBE2ADF,00000000,00000000,6CBE81D2,00000000,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF462
                                                                                      • Part of subcall function 6CBDF43D: GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 6CBDF47A
                                                                                      • Part of subcall function 6CBDF43D: FreeLibrary.KERNEL32(6CBE2ADF,?,?,?,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF4EF
                                                                                      • Part of subcall function 6CBDF43D: GetLastError.KERNEL32(00000000,?,?,?,?,?,?,6CBE2ADF,0000003B), ref: 6CBDF4FA
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE2B24
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                      • Part of subcall function 6CBD9BC1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CBD9D7E
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE2AE4
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FreeLibrary__wstrtime$AddressFormatLoadLocalMessageProc_strrchr
                                                                                    • String ID: ;$DirectXUpdateInstall$RegisterDllFromSection$SetupFindfirstLine()$SetupGetLineText()$SetupOpenInfFile()$Unable to initialize CSetupAPI.$Unable to open %s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 63134139-2384529571
                                                                                    • Opcode ID: 4a22ec4d5542869feea4dff065ecbf065c94277e1a2308aa061ef35981c93fde
                                                                                    • Instruction ID: 1620c15f353651d523e0ccf2ded549bff54a749bfb73afb81d3ce7182c234279
                                                                                    • Opcode Fuzzy Hash: 4a22ec4d5542869feea4dff065ecbf065c94277e1a2308aa061ef35981c93fde
                                                                                    • Instruction Fuzzy Hash: 77416A71A002D6BBC721AFF48C4CEEE76B8DB4DF94F110845F565A2941DB70AD848A63
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDFE3C Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 101stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrcmpA.KERNEL32(?,DefaultInstall,RegisterDLL64,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBDFE63
                                                                                      • Part of subcall function 6CBDC15A: _memset.LIBCMT ref: 6CBDC16F
                                                                                      • Part of subcall function 6CBDC15A: CreateProcessA.KERNEL32(00000000,6CBD46C8,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?), ref: 6CBDC193
                                                                                      • Part of subcall function 6CBDC15A: WaitForSingleObject.KERNEL32(?,000000FF,?,00000104,?), ref: 6CBDC1A6
                                                                                      • Part of subcall function 6CBDC15A: GetLastError.KERNEL32(00000000,?,00000104,?), ref: 6CBDC1B2
                                                                                      • Part of subcall function 6CBDC15A: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 6CBDC1DE
                                                                                      • Part of subcall function 6CBDC15A: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 6CBDC1E3
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                      • Part of subcall function 6CBD9EA5: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,6CBE0ED5,000000FF,?,6CBE0ED5,?,Version,?,00000000,?), ref: 6CBD9EBB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle__wstrtime$CompareCreateErrorLastObjectProcessSingleStringWait_memset_strrchrlstrcmp
                                                                                    • String ID: DefaultInstall$InstallEXE$InstallEXE(): %s returned %d.$InstallEXE(): Command:%s$InstallEXE(): Command:%s %s$RegSvr32.exe$RegisterDLL64$RunProcess() failed.$Unable to create command string, %s %s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$infinst.exe
                                                                                    • API String ID: 2433414053-2811192177
                                                                                    • Opcode ID: 52e6b1acee96d8660a11832fe4aba0a36bbb19edf050129dd9ad4a50e2e419a6
                                                                                    • Instruction ID: 1c38dca127cdebf8722c299de6e51b7e25395bb87fe38c4dbd3643aa60d8ba19
                                                                                    • Opcode Fuzzy Hash: 52e6b1acee96d8660a11832fe4aba0a36bbb19edf050129dd9ad4a50e2e419a6
                                                                                    • Instruction Fuzzy Hash: B721FB7A9091D476D7106BB59C40EEF3B7CDB57328F030691F419E2A40EB30F9884EA6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDDB78 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 6CBDDC1E
                                                                                    • GetLastError.KERNEL32(Unable to copy %s to %s.,?,?), ref: 6CBDDC3B
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$CopyErrorFileLast_strrchr
                                                                                    • String ID: CopyFile()$DXRenameFile$DirectXUpdateInstall$Renamed %s to %s$Unable to copy %s to %s.$Unable to create path string %s%s, failed to rename %s to %s.$Unable to find %s to rename, original version is used.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 4156371552-2855794351
                                                                                    • Opcode ID: 785e7ac60ab52460d283400995fbca980301ecc7cce754c75b773b570f397be5
                                                                                    • Instruction ID: 03a54b86ea695ba6af2a16e1a7353fdba18bedd856548e25a5f7d7ec5e0f8700
                                                                                    • Opcode Fuzzy Hash: 785e7ac60ab52460d283400995fbca980301ecc7cce754c75b773b570f397be5
                                                                                    • Instruction Fuzzy Hash: 122105BAA002D97AD710DAF59C44EEF777CDB45328F0604A2F945E3840EA70BA848B71
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA8BC Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CopyFile()$DX%s.CAT$InstCatWinMe$InstCatWinMe(): deleting catalog file...$InstCatWinMe(): installing catalog file...$Unable to copy %s to %s.$Unable to create path string, %s%s.$e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp
                                                                                    • API String ID: 0-1446033246
                                                                                    • Opcode ID: c51e68227a75f475c3cdaf1a67e2c0c047623610642574623aa5ec009ee41490
                                                                                    • Instruction ID: 3b63e04a335ce51ee9fce6861297854e59d71ec10f2aeab8283bde4ef0299c3d
                                                                                    • Opcode Fuzzy Hash: c51e68227a75f475c3cdaf1a67e2c0c047623610642574623aa5ec009ee41490
                                                                                    • Instruction Fuzzy Hash: 0F21B17AA002987ADB109AA1DC48FFB777CDF45338F170452B911E2941DB78FE848AA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC631 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000004,?), ref: 6CBDC64B
                                                                                    • GetLastError.KERNEL32 ref: 6CBDC656
                                                                                    • _strnlen.LIBCMT ref: 6CBDC6B7
                                                                                    • SHFileOperationA.SHELL32(?,?,00000104,00000004,?,00000000), ref: 6CBDC708
                                                                                    • DeleteFileA.KERNEL32(00000004,?,00000000), ref: 6CBDC717
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • GetLastError.KERNEL32(Unable to remove %s.,00000004), ref: 6CBDC729
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$ErrorLast__wstrtime$AttributesDeleteOperation_strnlen_strrchr
                                                                                    • String ID: DXRemoveFile$GetFileAttributes()$Unable to remove %s.$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 3110083123-1900097680
                                                                                    • Opcode ID: cd8bf36ca4045d58208d6390ce7c2f251e52c158443a9a1f0f7a6f26ea84caf5
                                                                                    • Instruction ID: 95bfa6d92724f6cba6da5c72d29dd8908c5050340af95f365b5c4864cd473134
                                                                                    • Opcode Fuzzy Hash: cd8bf36ca4045d58208d6390ce7c2f251e52c158443a9a1f0f7a6f26ea84caf5
                                                                                    • Instruction Fuzzy Hash: 2321FB75E04198ABCB10AFA88C45BDEB778EB1A364F1605A5F605E3540D730BE448FA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDB0F6 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 64libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6CBDB10F
                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,dxupdate.cab), ref: 6CBDB154
                                                                                    • GetLastError.KERNEL32 ref: 6CBDB15E
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    • GetLastError.KERNEL32(Module: %s, Function: %s,00000004,?,6CBF9880,?,6CBE12C5,SetupDefaultQueueCallbackA,setupapi.dll,00000104,6CBE3D09,6CBF9880,6CBF9880,00000104,?,?,00000000), ref: 6CBDB12D
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFreeLast__wstrtime$AddressFormatLibraryLocalMessageProc_strrchr
                                                                                    • String ID: CDllLoader::GetProcAddress$FreeLibrary()$GetProcAddress()$Invalid member - m_hModule is NULL.$Module: %s, Function: %s$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 2317682547-2938890287
                                                                                    • Opcode ID: 50601826ca2062b02636b96ee69ddc03007f4bdc23ae964e68192b62c41747d1
                                                                                    • Instruction ID: ede24191c2e84af3c808bb7f5cfc5e8f944fc5d1e16f563f8f7a70f0f90bc38b
                                                                                    • Opcode Fuzzy Hash: 50601826ca2062b02636b96ee69ddc03007f4bdc23ae964e68192b62c41747d1
                                                                                    • Instruction Fuzzy Hash: 5E1125B9E50284FBE7119A91CC49E6F36BCEB857A8F1B0404F504E3500E630FE008661
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDB3DC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 50libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(?,?,00000104,?,6CBDF02E,?,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB3E6
                                                                                    • FindResourceExA.KERNEL32(00000000,00000010,00000001,00000409), ref: 6CBDB3FE
                                                                                    • FreeLibrary.KERNEL32(00000000,?,6CBDF02E,?,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB40B
                                                                                    • GetLastError.KERNEL32(?,6CBDF02E,?,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB415
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    • GetLastError.KERNEL32(Unable to load %s.,?,?,6CBDF02E,?,?,\dinput8d.dll,00000000,?,00000000,\ddraw.dll,?,?,00000000,?), ref: 6CBDB448
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastLibrary__wstrtime$FindFreeLoadResource_strrchr
                                                                                    • String ID: FreeLibrary()$IsEnglish$LoadLibrary()$Unable to load %s.$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 664765759-1316196923
                                                                                    • Opcode ID: 5415ec7e737056edfabb2e590ef8baad93ddc180a279e46317c840f587db30e0
                                                                                    • Instruction ID: add0ccb950e8dc16f6a54749a90c50b87f22dc8fee0ce01f2222f285a1b1ba57
                                                                                    • Opcode Fuzzy Hash: 5415ec7e737056edfabb2e590ef8baad93ddc180a279e46317c840f587db30e0
                                                                                    • Instruction Fuzzy Hash: AB01F93A7801D177E710A5E58C1AF9A3D68D741BF3F0B4504F600A3994EE71F50055A6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA04B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBDA05B
                                                                                      • Part of subcall function 6CBD9F7A: GetFileVersionInfoSizeA.VERSION(6CBDA06B,?,?,00000000,00000000,?,?,6CBDA06B,?), ref: 6CBD9F8B
                                                                                      • Part of subcall function 6CBD9F7A: GetLastError.KERNEL32(6CBDA06B,6CBDA06B,?,?,00000000,00000000,?,?,6CBDA06B,?), ref: 6CBD9FA2
                                                                                    • VerQueryValueW.VERSION(00000000,6CBD1724,?,?,?), ref: 6CBDA083
                                                                                    • GetLastError.KERNEL32(00000000,00000000,6CBD1724,?,?,?), ref: 6CBDA08D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FileInfoQuerySizeValueVersion_memset
                                                                                    • String ID: 4$DXGetFileVersion$Data size mismatch.$VerQueryValue()$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 2833552196-926253235
                                                                                    • Opcode ID: df35402e55f69fa532e683877c33195030a6f414bd9c8e20f9c9dff635689cee
                                                                                    • Instruction ID: bb5fefc84357b8a8ffe72185f6051bcedf956e1a10cca41d46096730e72149dd
                                                                                    • Opcode Fuzzy Hash: df35402e55f69fa532e683877c33195030a6f414bd9c8e20f9c9dff635689cee
                                                                                    • Instruction Fuzzy Hash: 09016D766402847EEB111A908C81FEF363CEB457FCF264030FA01A4990EB70FF059662
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBD9ED4 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strrchr.LIBCMT ref: 6CBD9EDF
                                                                                      • Part of subcall function 6CBD9EA5: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,6CBE0ED5,000000FF,?,6CBE0ED5,?,Version,?,00000000,?), ref: 6CBD9EBB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CompareString_strrchr
                                                                                    • String ID: chm$dls$fon$hlp$inf$ini$png$txt
                                                                                    • API String ID: 987711976-1006119773
                                                                                    • Opcode ID: 362493bc735a92899fdf04e7299254b1a2c211c415a997886c9d8fe46613cff3
                                                                                    • Instruction ID: f96e61fe055b148bec6a9839548b8b29e3178539cb41cdda28ce05338ec3db90
                                                                                    • Opcode Fuzzy Hash: 362493bc735a92899fdf04e7299254b1a2c211c415a997886c9d8fe46613cff3
                                                                                    • Instruction Fuzzy Hash: A201282DA1A6D271BB4525A68E20FDF278EDF010BCB171424AC15E0D94EF09FA4984EF
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF5E22 Relevance: 15.2, APIs: 10, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStringTypeW.KERNEL32(00000001,6CBD8CA8,00000001,?,?,00000004,00000000), ref: 6CBF5E63
                                                                                    • GetStringTypeW.KERNEL32(?,?,000000FF,?,?,00000004,00000000), ref: 6CBF5E9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: StringType
                                                                                    • String ID:
                                                                                    • API String ID: 4177115715-0
                                                                                    • Opcode ID: cb87b43b285d6c4548f463f83912d20dfed0c1d1aace50bf4e9b9b3355645100
                                                                                    • Instruction ID: d10b8a99010d23872ae2aeea5e94088cf4af63acbabd526ae49d36300d4de755
                                                                                    • Opcode Fuzzy Hash: cb87b43b285d6c4548f463f83912d20dfed0c1d1aace50bf4e9b9b3355645100
                                                                                    • Instruction Fuzzy Hash: DB61ED7090068AEFEF118F65CC8089E7BB9EF49358B208565F97097B50D330D85ECB56
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF1346 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __set_error_mode.LIBCMT ref: 6CBF1377
                                                                                    • __set_error_mode.LIBCMT ref: 6CBF1388
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,6CBFA521,00000104,00000000,00000000,00000000,?,6CBEC33C,00000001,00000214), ref: 6CBF13E8
                                                                                    • GetStdHandle.KERNEL32(000000F4,77995E70,00000000,00000000,00000003,00000003,?,6CBF14FC,000000FC,6CBEB8D2,?,6CBEF955,00000018,6CBF6880,0000000C,6CBEF9EB), ref: 6CBF1492
                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,6CBF14FC,000000FC,6CBEB8D2,?,6CBEF955,00000018,6CBF6880,0000000C,6CBEF9EB,00000000), ref: 6CBF14C0
                                                                                    Strings
                                                                                    • <program name unknown>, xrefs: 6CBF13F2
                                                                                    • Runtime Error!Program: , xrefs: 6CBF13AB
                                                                                    • Microsoft Visual C++ Runtime Library, xrefs: 6CBF1480
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File__set_error_mode$HandleModuleNameWrite
                                                                                    • String ID: <program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                    • API String ID: 3248813247-385325454
                                                                                    • Opcode ID: b854e410715bf77b9df0a15b2203f47e11de470bf872a66b87c2a65efb2a16dd
                                                                                    • Instruction ID: ab1d7d947a1d1ef88d265490c3bb0f947cb3e25ab45972705fba771e30a3b9e7
                                                                                    • Opcode Fuzzy Hash: b854e410715bf77b9df0a15b2203f47e11de470bf872a66b87c2a65efb2a16dd
                                                                                    • Instruction Fuzzy Hash: C73127F2A012C1B6EB015A764C45E9F326CCF8265CF1D4825E876A3F41E662D90F85F2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDD1E5 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,6CBD12F4,00000000,CMDXInstall::Install,e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp,00000000), ref: 6CBDD266
                                                                                    • GetLastError.KERNEL32 ref: 6CBDD270
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                      • Part of subcall function 6CBD9BC1: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 6CBD9D51
                                                                                      • Part of subcall function 6CBD9BC1: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBD9D76
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$CreateDirectoryErrorFormatFreeLastLocalMessage_strrchr
                                                                                    • String ID: CMDXInstall::Install$CreateDirectory()$DXCreateDirectoryTree$Unable to create path string, %s\%s.$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 967560131-6166127
                                                                                    • Opcode ID: 9a6461a9a0352880c6e9b6626044719ffba4caddd6be1a3107bfbdcbbdddaf4d
                                                                                    • Instruction ID: fd9f5f73c224bcf964a98228755a37039e667fc6e6ac59079485c0031c0c3672
                                                                                    • Opcode Fuzzy Hash: 9a6461a9a0352880c6e9b6626044719ffba4caddd6be1a3107bfbdcbbdddaf4d
                                                                                    • Instruction Fuzzy Hash: 0B21B9B694029CBBEB10D6A1DC84FDF777CDB59364F0504A5B94AE2540E670FB888E70
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC760 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _realloc.LIBCMT ref: 6CBDC7AD
                                                                                    • GetPrivateProfileSectionA.KERNEL32(75A9B4B0,00000000,-00000258,?), ref: 6CBDC7C2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$PrivateProfileSection_realloc_strrchr
                                                                                    • String ID: LoadListFromInfSection$LoadListFromInfSection(): Unable to load %s - [%s].$Unable to allocate memory.$Unable to find %s$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h$realloc()
                                                                                    • API String ID: 2994852080-3670691587
                                                                                    • Opcode ID: e21d12946c737a6af7dbcee3e6b5eccc4f0664b217c750d97ee1dc09fdae6f3d
                                                                                    • Instruction ID: c817032cfe4892962b9489715a188c18fffe5bf87a96383ed5337930b4079c4d
                                                                                    • Opcode Fuzzy Hash: e21d12946c737a6af7dbcee3e6b5eccc4f0664b217c750d97ee1dc09fdae6f3d
                                                                                    • Instruction Fuzzy Hash: C9112B766002C5BFE7002EA58CC0C9ABBA8EF5037DB164539F91897A01EB72BD548761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE4094 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$_strrchr
                                                                                    • String ID: .dll$CMDXCheck::IsInUse$IsInUse(): Unable to find DLL name, skipped %s.$IsInUse(): Unable to get file list from %s:[%s].$LoadListFromInfSection() failed.$MDXDLLs$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 4138713405-4040500528
                                                                                    • Opcode ID: 3d7646bd547574c5220b3f3572320b329ac467e1b1b5dde427230192c57313c8
                                                                                    • Instruction ID: b9def9548b586c3a9f19ef6fd18af6a2b7ad61593cd14cced8a27bc3670355f3
                                                                                    • Opcode Fuzzy Hash: 3d7646bd547574c5220b3f3572320b329ac467e1b1b5dde427230192c57313c8
                                                                                    • Instruction Fuzzy Hash: 78115C369442D0B6DF1057D99C01FCF3EA8CF56BB8F120555E410B39C1DB60B90499AB
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC24C Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,6CBF6770,0000000C,6CBEC365,00000000,00000000), ref: 6CBEC25D
                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6CBEC286
                                                                                    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 6CBEC296
                                                                                    • InterlockedIncrement.KERNEL32(6CBF8880), ref: 6CBEC2B8
                                                                                    • ___addlocaleref.LIBCMT ref: 6CBEC2DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref
                                                                                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1389861978-2843748187
                                                                                    • Opcode ID: a7491d41d760c7c7dc7c121e10df31294059cec95c78db4e446369b031a6f7c6
                                                                                    • Instruction ID: 56ecff1336add2fe5e93811a7bdf85007687ae0e18a12981d26bd87bb1119350
                                                                                    • Opcode Fuzzy Hash: a7491d41d760c7c7dc7c121e10df31294059cec95c78db4e446369b031a6f7c6
                                                                                    • Instruction Fuzzy Hash: AD11ACB19407819EEB109F76D800B9ABBF0EF49328F00891EE8A9D7B50DB75E9058F54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF60E0 Relevance: 13.7, APIs: 9, Instructions: 178COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,6CBF49FA,00000001,?,00000000,?,?,?), ref: 6CBF612B
                                                                                    • GetCPInfo.KERNEL32(?,00000001,?,6CBF49FA,00000001,?), ref: 6CBF6144
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,6CBF49FA,00000000,00000000,?,6CBF49FA,00000001,?,00000000,?,?,?,?,00000000), ref: 6CBF61A8
                                                                                    • _memset.LIBCMT ref: 6CBF61E0
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,6CBF49FA,?,00000000,?,?,?,?,?,?,?,6CBF49FA,00000001,?), ref: 6CBF61F7
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,6CBF49FA), ref: 6CBF6212
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,6CBF49FA), ref: 6CBF6238
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,6CBF49FA), ref: 6CBF625D
                                                                                    • __freea.LIBCMT ref: 6CBF627F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$Info$__freea_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1700608584-0
                                                                                    • Opcode ID: 4b0d0c4f0a1ade8f1cf68a8c66a0293426c5c976d931ee136c01452d32e5cca4
                                                                                    • Instruction ID: 317197ca828d655ba344fecd94daa7ba0b1bb8225e20886f0b9c8658108d8c7e
                                                                                    • Opcode Fuzzy Hash: 4b0d0c4f0a1ade8f1cf68a8c66a0293426c5c976d931ee136c01452d32e5cca4
                                                                                    • Instruction Fuzzy Hash: 92516B71901159AFDF109FA9CC80DEEBBB9EF09368F204125E924F7650D7319D4A8FA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF480B Relevance: 13.7, APIs: 9, Instructions: 166COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStringTypeW.KERNEL32(00000001,6CBD8CA8,00000001,?,?,?,00000000,?,?,?,6CBF49FA,00000001,?,00000000,?,?), ref: 6CBF483A
                                                                                    • GetLastError.KERNEL32(?,6CBF49FA,00000001,?,00000000,?,?,?,?,00000000,?,00000001,00000000,00000000,00000008,?), ref: 6CBF484C
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,6CBF49FA,00000001,?,00000000), ref: 6CBF48B1
                                                                                    • _memset.LIBCMT ref: 6CBF4906
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,00000008,?,00000000), ref: 6CBF491B
                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6CBF4929
                                                                                    • __freea.LIBCMT ref: 6CBF4933
                                                                                    • ___ansicp.LIBCMT ref: 6CBF495D
                                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6CBF49FA,00000001,?,00000000,?), ref: 6CBF499E
                                                                                      • Part of subcall function 6CBF60E0: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,6CBF49FA,00000001,?,00000000,?,?,?), ref: 6CBF612B
                                                                                      • Part of subcall function 6CBF60E0: GetCPInfo.KERNEL32(?,00000001,?,6CBF49FA,00000001,?), ref: 6CBF6144
                                                                                      • Part of subcall function 6CBF60E0: _memset.LIBCMT ref: 6CBF61E0
                                                                                      • Part of subcall function 6CBF60E0: MultiByteToWideChar.KERNEL32(?,00000001,?,6CBF49FA,?,00000000,?,?,?,?,?,?,?,6CBF49FA,00000001,?), ref: 6CBF61F7
                                                                                      • Part of subcall function 6CBF60E0: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,6CBF49FA), ref: 6CBF6212
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$StringType$Info_memset$ErrorLast___ansicp__freea
                                                                                    • String ID:
                                                                                    • API String ID: 3793715485-0
                                                                                    • Opcode ID: 13d8ee0248f6e5719c68b5673c0ad82a23e28058a4912cdaa50ced070457555e
                                                                                    • Instruction ID: ee9098a2cdd5c55e52ddc8373a5460f0864dc4629ab40f166913ce459e73d036
                                                                                    • Opcode Fuzzy Hash: 13d8ee0248f6e5719c68b5673c0ad82a23e28058a4912cdaa50ced070457555e
                                                                                    • Instruction Fuzzy Hash: DA51B17160118AAFDF008F95CE809AE7BB9EB09359B218526F934D3750D730D96ACF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA4AA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBDA4E5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectorySystem
                                                                                    • String ID: DXGetFileVersion() failed.$FRunningOnWinXP$GetSystemDirectory()$\ntkrnlpa.exe$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 2188284642-2376770108
                                                                                    • Opcode ID: 10c22c91a936d2588542fc0d8b2799eee3048295dccb34f069b3a0c9eeecb1a0
                                                                                    • Instruction ID: deb9fbbb148b522cc3ac6e21ebbe17f0a42027b6176ef5b289a256c2351fc95d
                                                                                    • Opcode Fuzzy Hash: 10c22c91a936d2588542fc0d8b2799eee3048295dccb34f069b3a0c9eeecb1a0
                                                                                    • Instruction Fuzzy Hash: EC213876A21194A6DF10DAB99C44ACF77BCDF06368F460565B419E3580EB30FA84CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA5A7 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6CBDA5E2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectorySystem
                                                                                    • String ID: DXGetFileVersion() failed.$FRunningOnNETServer$GetSystemDirectory()$\ntkrnlpa.exe$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 2188284642-43542712
                                                                                    • Opcode ID: c48522502727b5ddcdb56c0081af65af6f52b6d51f0f0ede34967a3b89512b7d
                                                                                    • Instruction ID: b92017c0102ec05e6683d0f96af95c467a03243301983e1934c56df5f1abae16
                                                                                    • Opcode Fuzzy Hash: c48522502727b5ddcdb56c0081af65af6f52b6d51f0f0ede34967a3b89512b7d
                                                                                    • Instruction Fuzzy Hash: E1110371A02294AACB40DAB68C44ECB37BCDF07365F060465F419E3980EB70FA84CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDBC59 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strrchr.LIBCMT ref: 6CBDBCB1
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime_strrchr
                                                                                    • String ID: CSetupAPI is not initialized.$InstallDrvInf$Installed file %s as %s$SetupCopyOEMInf()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1906172993-1220023449
                                                                                    • Opcode ID: 1c47a31f890dbb32540543c1461471b3581605ef7de7bf141884b53ba8bccadc
                                                                                    • Instruction ID: 9fae51575281b055d9683d2548159e325416b38e7a326dc40dc0483ba3de9c7d
                                                                                    • Opcode Fuzzy Hash: 1c47a31f890dbb32540543c1461471b3581605ef7de7bf141884b53ba8bccadc
                                                                                    • Instruction Fuzzy Hash: 13115935A021A1BBD7109A919C09EEF7BBCEB46B64F160454F148E3580DF60BA45C6E2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC855 Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 6CBEC86A
                                                                                      • Part of subcall function 6CBEC80F: __calloc_impl.LIBCMT ref: 6CBEC824
                                                                                    • GetFileType.KERNEL32(00000024), ref: 6CBEC978
                                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 6CBEC9AC
                                                                                    • GetStdHandle.KERNEL32(-000000F6), ref: 6CBECA03
                                                                                    • GetFileType.KERNEL32(00000000), ref: 6CBECA15
                                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 6CBECA43
                                                                                    • SetHandleCount.KERNEL32 ref: 6CBECA6E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Count$CritFileHandleInitSpinType___crt$InfoStartup__calloc_impl
                                                                                    • String ID:
                                                                                    • API String ID: 3691444693-0
                                                                                    • Opcode ID: 3868d683c61a435035e76404f62beff4928826213faf6d33003c1362358c22b5
                                                                                    • Instruction ID: b1ad9cfa2dae07a1cc4d6126c11f3f6584d52c638deb4c627a763b09a7498d29
                                                                                    • Opcode Fuzzy Hash: 3868d683c61a435035e76404f62beff4928826213faf6d33003c1362358c22b5
                                                                                    • Instruction Fuzzy Hash: 076134356053D18FDB11DB38C884B19BFF0EB0ABA8F288659D4B69BAD0D734D805CB52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF0841 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: String___crt$InfoType_memset
                                                                                    • String ID:
                                                                                    • API String ID: 406800760-3916222277
                                                                                    • Opcode ID: 7eb566c7e330ffc3adab5bd387dede1d7ff33f52e252ff75d2c0a2c51caa4ea8
                                                                                    • Instruction ID: 0b849f573e518e1e67d97f57b5e74356d5d32a88989a6f8f65f3fd7bfc508489
                                                                                    • Opcode Fuzzy Hash: 7eb566c7e330ffc3adab5bd387dede1d7ff33f52e252ff75d2c0a2c51caa4ea8
                                                                                    • Instruction Fuzzy Hash: F1410E715007DC9EEB218B28AC84BFB7BFDDB05708F1484E8D5A583692D2719A4A8F51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC0E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(6CBFA508,?,6CBEC15B,00000000,6CBF4E75,00000314,6CBFA508,00000000,?,?,?,?,6CBF148B,6CBFA508,Microsoft Visual C++ Runtime Library,00012010), ref: 6CBEC0FB
                                                                                    • TlsGetValue.KERNEL32(0000000D,?,6CBEC15B,00000000,6CBF4E75,00000314,6CBFA508,00000000,?,?,?,?,6CBF148B,6CBFA508,Microsoft Visual C++ Runtime Library,00012010), ref: 6CBEC112
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,6CBEC15B,00000000,6CBF4E75,00000314,6CBFA508,00000000,?,?,?,?,6CBF148B,6CBFA508,Microsoft Visual C++ Runtime Library,00012010), ref: 6CBEC127
                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6CBEC137
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressHandleModuleProc
                                                                                    • String ID: EncodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1929421221-3682587211
                                                                                    • Opcode ID: edce238e5d2217f57e8e1636caceac130f1c46c70ef2de272efbafde886cdd02
                                                                                    • Instruction ID: 15239332175ee15a777b3447186666441124fb081241facb02afd166b28cf416
                                                                                    • Opcode Fuzzy Hash: edce238e5d2217f57e8e1636caceac130f1c46c70ef2de272efbafde886cdd02
                                                                                    • Instruction Fuzzy Hash: B0F03634641145AB9F007F6AEC0495A3FBDEB4A7F57154021F828D7950DB31E8019A92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC162 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsGetValue.KERNEL32(00000000,?,6CBEC1F6), ref: 6CBEC174
                                                                                    • TlsGetValue.KERNEL32(0000000D,?,6CBEC1F6), ref: 6CBEC18B
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,6CBEC1F6), ref: 6CBEC1A0
                                                                                    • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6CBEC1B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressHandleModuleProc
                                                                                    • String ID: DecodePointer$KERNEL32.DLL
                                                                                    • API String ID: 1929421221-629428536
                                                                                    • Opcode ID: 38b9998a43bacc7d0161083b1163a07b594b8ddeb0e1a8fba16eb0fc1e46853d
                                                                                    • Instruction ID: e315492e5964ff4e366cfaba3969e0ebca029207c73114a26f2403dfaacaad29
                                                                                    • Opcode Fuzzy Hash: 38b9998a43bacc7d0161083b1163a07b594b8ddeb0e1a8fba16eb0fc1e46853d
                                                                                    • Instruction Fuzzy Hash: 52F0B430740185AB9F007F36DC44E5A3FB8EF4ABE93204422F828C7960DB31EC01CAA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDC936 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 32libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(?,00000004,00000104,?,00000000,?,6CBE12B1,setupapi.dll,00000104,6CBE3D09,6CBF9880,6CBF9880,00000104,?,?,00000000), ref: 6CBDC952
                                                                                    • GetLastError.KERNEL32(Unable to load %s.,?,6CBE12B1,setupapi.dll,00000104,6CBE3D09,6CBF9880,6CBF9880,00000104,?,?,00000000,?,?,dxupdate.cab), ref: 6CBDC967
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • CDllLoader::LoadLibraryA, xrefs: 6CBDC973
                                                                                    • e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h, xrefs: 6CBDC97D
                                                                                    • LoadLibrary(), xrefs: 6CBDC96E
                                                                                    • Unable to load %s., xrefs: 6CBDC962
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ErrorLastLibraryLoad_strrchr
                                                                                    • String ID: CDllLoader::LoadLibraryA$LoadLibrary()$Unable to load %s.$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 108046663-2531695590
                                                                                    • Opcode ID: cdac1ec8ede6f6eb6ec74d7c4f7ba9f6217ddeb3556c60f6e028bb6b868f46ca
                                                                                    • Instruction ID: 6286dca6b044d1606b69d858d86baa2c5464f1d5898e1dda6a43157c5ad76740
                                                                                    • Opcode Fuzzy Hash: cdac1ec8ede6f6eb6ec74d7c4f7ba9f6217ddeb3556c60f6e028bb6b868f46ca
                                                                                    • Instruction Fuzzy Hash: 2EF02B7AA50289BFD7017EF1CC04CCA7FECEB193B570A0821F946D3910E671F5009AA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF150E Relevance: 9.1, APIs: 6, Instructions: 107COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c5d172b70559e559c80df990bbe552d762cd0539f9a089a5c2d743c4cca0d9e
                                                                                    • Instruction ID: be28cdfc63c5ebeb80cb6c7c79b1e59fec36cc0160947cdf6aaa377191e812e5
                                                                                    • Opcode Fuzzy Hash: 7c5d172b70559e559c80df990bbe552d762cd0539f9a089a5c2d743c4cca0d9e
                                                                                    • Instruction Fuzzy Hash: 0C31F2F24046C16AD7224A2A880169E77A5EF06378F2C8E19D4B697F90DB24D54B8B92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF5814 Relevance: 9.1, APIs: 6, Instructions: 69COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___initconout.LIBCMT ref: 6CBF583A
                                                                                      • Part of subcall function 6CBF6523: CreateFileA.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CBF583F,?,?,?,6CBF20D0,?), ref: 6CBF6536
                                                                                    • WriteConsoleW.KERNEL32(FFFFFFFE,6CBF20D0,00000001,?,00000000,?,?,?,6CBF20D0,?), ref: 6CBF585B
                                                                                    • GetLastError.KERNEL32(?,?,6CBF20D0,?), ref: 6CBF586E
                                                                                    • GetConsoleOutputCP.KERNEL32(00000000,6CBF20D0,00000001,?,00000005,00000000,00000000,?,?,?,6CBF20D0,?), ref: 6CBF588E
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,?,?,6CBF20D0,?), ref: 6CBF5895
                                                                                    • WriteConsoleA.KERNEL32(FFFFFFFE,?,00000000,?,00000000,?,?,6CBF20D0,?), ref: 6CBF58B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide___initconout
                                                                                    • String ID:
                                                                                    • API String ID: 3734994816-0
                                                                                    • Opcode ID: c4e48b156a67d9406bab401428a605c5ac8063021930c071d64a2ac5545efac1
                                                                                    • Instruction ID: 92d9b04712a6b1d5f16741f7a82eff1cd8e43d81268fa71882fc72631ffabb73
                                                                                    • Opcode Fuzzy Hash: c4e48b156a67d9406bab401428a605c5ac8063021930c071d64a2ac5545efac1
                                                                                    • Instruction Fuzzy Hash: 82219270A01159AEEB10CFA1D8089AB7B7CEF42725B144219F931876C0D730AA4ACB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE97C1 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 61sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000005), ref: 6CBE9827
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • CInsEngCallback::OnEngineProblem, xrefs: 6CBE97F1, 6CBE9842
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp, xrefs: 6CBE97FB, 6CBE984C
                                                                                    • OnEngineProblem(): problem = 0x%X, xrefs: 6CBE97CD
                                                                                    • Unknown engine problem %d., xrefs: 6CBE9839
                                                                                    • The file to be downloaded is not trusted., xrefs: 6CBE97E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$Sleep_strrchr
                                                                                    • String ID: CInsEngCallback::OnEngineProblem$OnEngineProblem(): problem = 0x%X$The file to be downloaded is not trusted.$Unknown engine problem %d.$e:\bt\382730\setup\deliverables\dxupdate\dwnldmgr.cpp
                                                                                    • API String ID: 3675393568-4174456046
                                                                                    • Opcode ID: 70df00c0c2e1d18a4696621b28ef504a2cef9165f17c8c8071f9e5fbf008dd73
                                                                                    • Instruction ID: e20f61124c198337b53550f241508e397976925e82db45b9b9b7c1cf620faceb
                                                                                    • Opcode Fuzzy Hash: 70df00c0c2e1d18a4696621b28ef504a2cef9165f17c8c8071f9e5fbf008dd73
                                                                                    • Instruction Fuzzy Hash: 8C11EC39A40380BBE7245F16CC15F997B68DB84777F12842AFA195BAD1D772F4048790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDCE08 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$_strrchr
                                                                                    • String ID: GetSectionNamesFromInf() failed.$Invalid buffer.$IsSectionInInf$e:\bt\382730\setup\deliverables\dxupdate\inline.h
                                                                                    • API String ID: 4138713405-3922201919
                                                                                    • Opcode ID: ee6f65ef32c59965ff48dead75c26513cd371326a5593d2a52dd507e690092cc
                                                                                    • Instruction ID: 77f92817c7674734041901cc74b9efb1a5ba2352d7b068dbd73a81cab341459c
                                                                                    • Opcode Fuzzy Hash: ee6f65ef32c59965ff48dead75c26513cd371326a5593d2a52dd507e690092cc
                                                                                    • Instruction Fuzzy Hash: 341108F6C041C6BBEB107AA84C81CEEBBA9CB0536CB370959F500B3941EB71BE4552A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDCC44 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strrchr
                                                                                    • String ID: , $.cab$.exe$DefaultInstall
                                                                                    • API String ID: 3213747228-64454702
                                                                                    • Opcode ID: 74d87cabbd7ce41814103eee81a7bbf1c5fa69351cc9429c2a7939ca055f62b7
                                                                                    • Instruction ID: 51df4ad9662f7ee5bcedfa85abe0a2a2c68eb75e81b8593d6228cc8f49327080
                                                                                    • Opcode Fuzzy Hash: 74d87cabbd7ce41814103eee81a7bbf1c5fa69351cc9429c2a7939ca055f62b7
                                                                                    • Instruction Fuzzy Hash: 3E11E7B65413957AD3019B259C01FDB37ACEF05668F160431FE04DBA40F731EA1587D9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDB0A6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,6CBE21D7,?,?,?,?,\msi.dll,00000000,?,?,00000104), ref: 6CBDB0B2
                                                                                    • GetLastError.KERNEL32(?,?,?,?,\msi.dll,00000000,?,?,00000104), ref: 6CBDB0BC
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h, xrefs: 6CBDB0D8
                                                                                    • CDllLoader::FreeLibrary, xrefs: 6CBDB0CE
                                                                                    • FreeLibrary(), xrefs: 6CBDB0C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ErrorFreeLastLibrary_strrchr
                                                                                    • String ID: CDllLoader::FreeLibrary$FreeLibrary()$e:\bt\382730\setup\deliverables\dsetup\inc\dsinline.h
                                                                                    • API String ID: 2808663981-1330908120
                                                                                    • Opcode ID: db53e953b4dd50199a4bda0e335980aa94b297379b5f74e50e3a49a76cf7762d
                                                                                    • Instruction ID: b6cbfde8fe9298d57363332681e2f80d0f0d6d2881702ccf887fd740589c68f3
                                                                                    • Opcode Fuzzy Hash: db53e953b4dd50199a4bda0e335980aa94b297379b5f74e50e3a49a76cf7762d
                                                                                    • Instruction Fuzzy Hash: 9DE02639B142C26BF7206AF66C08B9336ECDB40779F1B4815F860E3441FE60F8014151
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBDA206 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,6CBDAFFD), ref: 6CBDA210
                                                                                    • GetLastError.KERNEL32 ref: 6CBDA21A
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • UnLoadSfcDLL, xrefs: 6CBDA22C
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp, xrefs: 6CBDA233
                                                                                    • FreeLibrary(), xrefs: 6CBDA227
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ErrorFreeLastLibrary_strrchr
                                                                                    • String ID: FreeLibrary()$UnLoadSfcDLL$e:\bt\382730\setup\deliverables\dxupdate\instcat.cpp
                                                                                    • API String ID: 2808663981-1868216810
                                                                                    • Opcode ID: 5be042e403c9f5b3674f26781bed5b709d3593c9352571ac413675bbe36bb043
                                                                                    • Instruction ID: 7a4c9f72ad0772429476a34ee687d6ab5b6c4e61a34f187d9c168d8489228e14
                                                                                    • Opcode Fuzzy Hash: 5be042e403c9f5b3674f26781bed5b709d3593c9352571ac413675bbe36bb043
                                                                                    • Instruction Fuzzy Hash: 1AE012BCB4028267FF006EA75C8AB16357CB721AB5F8A4404F411F2991E765F000C912
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBE1B7B Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,6CBE411A,000000FF,?,00000104,?,00000000), ref: 6CBE1BAD
                                                                                    • GetLastError.KERNEL32(00000000), ref: 6CBE1BB8
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BF2
                                                                                      • Part of subcall function 6CBD9BC1: __wstrtime.LIBCMT ref: 6CBD9BFB
                                                                                      • Part of subcall function 6CBD9BC1: _strrchr.LIBCMT ref: 6CBD9C41
                                                                                    Strings
                                                                                    • e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp, xrefs: 6CBE1BCE
                                                                                    • MultiByteToWideChar(), xrefs: 6CBE1BBF
                                                                                    • CFusion::GetAssemblyList, xrefs: 6CBE1BC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wstrtime$ByteCharErrorLastMultiWide_strrchr
                                                                                    • String ID: CFusion::GetAssemblyList$MultiByteToWideChar()$e:\bt\382730\setup\deliverables\dxupdate\dxupdate.cpp
                                                                                    • API String ID: 1615087234-1850757137
                                                                                    • Opcode ID: 63fa6bb7409f22d9635b81893ffe772288a9034a0ec305072a630311d454afe7
                                                                                    • Instruction ID: ad46f56a3fff946d68e033a2d40bc0b5f350a93ef8fa30359ed40bc494970ff2
                                                                                    • Opcode Fuzzy Hash: 63fa6bb7409f22d9635b81893ffe772288a9034a0ec305072a630311d454afe7
                                                                                    • Instruction Fuzzy Hash: 6C01D6B57002487BDB00EBE88C45FEE377CDB09760F250518B526E72C1DA70FA048764
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBED115 Relevance: 7.5, APIs: 5, Instructions: 44timethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6CBED149
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 6CBED155
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CBED15D
                                                                                    • GetTickCount.KERNEL32 ref: 6CBED165
                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 6CBED171
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                    • String ID:
                                                                                    • API String ID: 1445889803-0
                                                                                    • Opcode ID: bb51619307f786030af965057ac88ad5070896d6e740b33a0197e3d23d259792
                                                                                    • Instruction ID: 05386bf88575b11fe397d076302c1f5bb258683e84b399dece08beab08023f82
                                                                                    • Opcode Fuzzy Hash: bb51619307f786030af965057ac88ad5070896d6e740b33a0197e3d23d259792
                                                                                    • Instruction Fuzzy Hash: 42017176E416289BCF109BF9E44869EB7F8EF8E3A1F5A0552D911E7204D770A940CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF2670 Relevance: 6.1, APIs: 4, Instructions: 134COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 6CBF26F1
                                                                                    • WideCharToMultiByte.KERNEL32(680779C0,00000000,?,00000001,?,6CBD9AF9,00000000,?,?,?,?,?,6CBD9AF9,?,?,00000000), ref: 6CBF2784
                                                                                    • GetLastError.KERNEL32 ref: 6CBF27A2
                                                                                    • _memset.LIBCMT ref: 6CBF27C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$ByteCharErrorLastMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 773584764-0
                                                                                    • Opcode ID: 529abdadcc9881dde1474c5f57e95d40507a671e90c13ee94dc20cadc7588e8f
                                                                                    • Instruction ID: 7f18039e746ab34c68dff2f6975e19c4886c61be1165ea3f4d0f976e04447303
                                                                                    • Opcode Fuzzy Hash: 529abdadcc9881dde1474c5f57e95d40507a671e90c13ee94dc20cadc7588e8f
                                                                                    • Instruction Fuzzy Hash: 4F41D6729011C5BFDF119F58C8D989E7B64EF16368F110269E4305BB91EB309D4ACBA3
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF2B64 Relevance: 6.1, APIs: 4, Instructions: 125COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __mtinitlocknum.LIBCMT ref: 6CBF2B7B
                                                                                      • Part of subcall function 6CBEF908: __FF_MSGBANNER.LIBCMT ref: 6CBEF924
                                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 6CBF2BF3
                                                                                    • EnterCriticalSection.KERNEL32(00000115,6CBF69E0,00000018,6CBF3092,00000109,00000000,00000000), ref: 6CBF2C1A
                                                                                    • LeaveCriticalSection.KERNEL32(00000115), ref: 6CBF2C27
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$CountCritEnterInitLeaveSpin___crt__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 2663194512-0
                                                                                    • Opcode ID: eb106faf8e1b26fce88d9ab385a19bce52c8b1d6ed93f624575a1b4cbb9ce7c8
                                                                                    • Instruction ID: 6d10ab6dc8b4351593df2cb6b2aa098c4ccf08fcb0ada6927b093a4dc6756be0
                                                                                    • Opcode Fuzzy Hash: eb106faf8e1b26fce88d9ab385a19bce52c8b1d6ed93f624575a1b4cbb9ce7c8
                                                                                    • Instruction Fuzzy Hash: B941E271A047C68ADB148FA9D95878DBBF0AF06328F28861DD171EBBD0C774D54A8B13
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBF09D9 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 6CBF09E5
                                                                                      • Part of subcall function 6CBEC386: __amsg_exit.LIBCMT ref: 6CBEC396
                                                                                    • __amsg_exit.LIBCMT ref: 6CBF0A05
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 6CBF0A32
                                                                                    • InterlockedIncrement.KERNEL32(05BE12E0), ref: 6CBF0A5D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd
                                                                                    • String ID:
                                                                                    • API String ID: 2662827482-0
                                                                                    • Opcode ID: 116047ecf516ff88c3a51cd0dca0ea600dc7c662bf2d01a23bce6f869e83f853
                                                                                    • Instruction ID: 61997a604e1ea5943774bd91819cc02448d4636e4320f5386ff4f3615cede3ef
                                                                                    • Opcode Fuzzy Hash: 116047ecf516ff88c3a51cd0dca0ea600dc7c662bf2d01a23bce6f869e83f853
                                                                                    • Instruction Fuzzy Hash: 6E01DB35A026D5EBDB109F69B51078DB770EF05768F104107D834A7B90CB34A54ACBD6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBEC305 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00000000,6CBEE2CE,6CBEAD37,00000000,?,?,?,00000000,?), ref: 6CBEC309
                                                                                    • ___set_flsgetvalue.LIBCMT ref: 6CBEC311
                                                                                      • Part of subcall function 6CBEC1DB: TlsGetValue.KERNEL32(6CBEC316), ref: 6CBEC1E1
                                                                                      • Part of subcall function 6CBEC1DB: TlsSetValue.KERNEL32(00000000), ref: 6CBEC1FE
                                                                                    • TlsGetValue.KERNEL32 ref: 6CBEC322
                                                                                    • SetLastError.KERNEL32(00000000), ref: 6CBEC376
                                                                                      • Part of subcall function 6CBF1AFB: __calloc_impl.LIBCMT ref: 6CBF1B0C
                                                                                      • Part of subcall function 6CBF1AFB: Sleep.KERNEL32(00000000,?,00000000,00000000,?,6CBEC33C,00000001,00000214), ref: 6CBF1B23
                                                                                      • Part of subcall function 6CBEC162: TlsGetValue.KERNEL32(00000000,?,6CBEC1F6), ref: 6CBEC174
                                                                                      • Part of subcall function 6CBEC162: TlsGetValue.KERNEL32(0000000D,?,6CBEC1F6), ref: 6CBEC18B
                                                                                      • Part of subcall function 6CBEC24C: GetModuleHandleA.KERNEL32(KERNEL32.DLL,6CBF6770,0000000C,6CBEC365,00000000,00000000), ref: 6CBEC25D
                                                                                      • Part of subcall function 6CBEC24C: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6CBEC286
                                                                                      • Part of subcall function 6CBEC24C: GetProcAddress.KERNEL32(?,DecodePointer), ref: 6CBEC296
                                                                                      • Part of subcall function 6CBEC24C: InterlockedIncrement.KERNEL32(6CBF8880), ref: 6CBEC2B8
                                                                                      • Part of subcall function 6CBEC24C: ___addlocaleref.LIBCMT ref: 6CBEC2DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$AddressErrorLastProc$HandleIncrementInterlockedModuleSleep___addlocaleref___set_flsgetvalue__calloc_impl
                                                                                    • String ID:
                                                                                    • API String ID: 2909133767-0
                                                                                    • Opcode ID: ce2e49d838d965f5bf2124566616df9e9147974d7755340f3eed39b94b25cf5a
                                                                                    • Instruction ID: 415f360d0f4935c802597574733879065f2b5ee9d639d080c73948f43a0dd96a
                                                                                    • Opcode Fuzzy Hash: ce2e49d838d965f5bf2124566616df9e9147974d7755340f3eed39b94b25cf5a
                                                                                    • Instruction Fuzzy Hash: F9F022336416A16ACB2233B9AC08A8F3F34EF4BFF47240216F42093BE0DF61C8024691
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6CBECDD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___initmbctable.LIBCMT ref: 6CBECDEE
                                                                                      • Part of subcall function 6CBF0E54: __setmbcp.LIBCMT ref: 6CBF0E5F
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe,00000104,?,?,?,6CBEA562), ref: 6CBECE05
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, xrefs: 6CBECDF8, 6CBECDFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2969576137.000000006CBD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBD0000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.2969535342.000000006CBD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969752361.000000006CBF8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                    • Associated: 0000000A.00000002.2969849304.000000006CBFC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_6cbd0000_dxwsetup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileModuleName___initmbctable__setmbcp
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                    • API String ID: 2741541922-2097431722
                                                                                    • Opcode ID: 9be3a59dc8e14932d1ad9f9257f1f44a8c32af8f1b4cf6533b8616e4b005e301
                                                                                    • Instruction ID: e5bc4af22e36ff924ec59dbe86c74c0af9e70a3166c7d1fa7a362f6a8c09c35a
                                                                                    • Opcode Fuzzy Hash: 9be3a59dc8e14932d1ad9f9257f1f44a8c32af8f1b4cf6533b8616e4b005e301
                                                                                    • Instruction Fuzzy Hash: AB219372E01198AFDB10EFB99C8089E7F78EB467A87240665E534E3B40D3306E49CB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%